CVE-2023-45138
high-risk
Published 2023-10-12
Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the fix commit.
Do I need to act?
!
78.4% chance of exploitation in next 30 days
EPSS score — higher than 22% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 518ba7341ada2badc2bbf7043881411c674d35f3
10
CVSS 10.0/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (6)
Issue Tracking
https://jira.xwiki.org/browse/CRAPP-298
Issue Tracking
https://jira.xwiki.org/browse/CRAPP-298
58
/ 100
high-risk
Severity
33/34 · Critical
Exploitability
20/34 · Moderate
Exposure
5/34 · Minimal