CVE-2023-29521 : XWiki Platform is a generic wiki platform offering runtime services for applicat

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Macro.VFSTreeMacro`. This page is not installed by default.This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Published 2023-04-19 00:15:09

Updated 2023-04-28 18:09:46

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-29521

Xwiki » Xwiki
Versions before (<) 13.10.11
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions
Xwiki » Xwiki
Versions from including (>=) 14.0 and before (<) 14.4.8
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions
Xwiki » Xwiki
Versions from including (>=) 14.5 and before (<) 14.10.2
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-29521

EPSS FAQ

1.19%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-29521

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.4	HIGH	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L	1.8	6.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: Low

CWE ids for CVE-2023-29521

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)

References for CVE-2023-29521

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p67q-h88v-5jgr

Privilege escalation (PR) from account/view through VFS Tree macro · Advisory · xwiki/xwiki-platform · GitHub
Exploit;Patch;Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20260

[XWIKI-20260] Privilege escalation (PR) from account/view through VFS Tree macro - XWiki.org JIRA
Exploit;Issue Tracking;Patch;Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12

XWIKI-20260: Improved escaping of VFSTreeMacro · xwiki/xwiki-platform@fad0232 · GitHub
Patch

Jump to

Vulnerability Details : CVE-2023-29521

Products affected by CVE-2023-29521

Exploit prediction scoring system (EPSS) score for CVE-2023-29521

CVSS scores for CVE-2023-29521

CWE ids for CVE-2023-29521

References for CVE-2023-29521