CVE-2023-29507

moderate-risk
Published 2023-04-16

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

Do I need to act?

-
0.85% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Xwiki

References (7)

Patch https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa...
Vendor Advisory https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
Issue Tracking https://jira.xwiki.org/browse/XWIKI-20380
Patch https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa...
Vendor Advisory https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
Issue Tracking https://jira.xwiki.org/browse/XWIKI-20380
Issue Tracking https://jira.xwiki.org/browse/XWIKI-20380
41
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 3/34 · Minimal
Exposure 7/34 · Low