CVE-2023-29214

moderate-risk
Published 2023-04-16

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. The problem has been patched on XWiki 14.4.7, and 14.10.

Do I need to act?

~
6.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 08e0887f0362b21614e6bfcb5be7e1f568659c41, 962ee4ac0352ab1a89cc779c29e81b0674d0203e, c524887d154ff8f6df9651e36b904e234bf5a6ef
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Xwiki

References (6)

Patch https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf...
Exploit https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqh
Exploit https://jira.xwiki.org/browse/XWIKI-20306
Patch https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf...
Exploit https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqh
Exploit https://jira.xwiki.org/browse/XWIKI-20306
49
/ 100
moderate-risk
Severity 33/34 · Critical
Exploitability 9/34 · Low
Exposure 7/34 · Low