CVE-2023-35166

high-risk
Published 2023-06-20

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5.

Do I need to act?

!
27.2% chance of exploitation in next 30 days
EPSS score — higher than 73% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 0cb75bab7ac0c3ecbd0429e88726435b55970c8e, 216402d67310861edc37d1b31e587781b9d6b0aa
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Xwiki

References (6)

Patch https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c...
Patch https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h7cw-44vp-jq7h
Exploit https://jira.xwiki.org/browse/XWIKI-20281
Patch https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c...
Patch https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h7cw-44vp-jq7h
Exploit https://jira.xwiki.org/browse/XWIKI-20281
53
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 15/34 · Moderate
Exposure 5/34 · Minimal