Vulnerability Details : CVE-2023-35166
Potential exploit
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5.
Products affected by CVE-2023-35166
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-35166
30.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 96 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-35166
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
|
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2023-35166
-
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2023-35166
-
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h7cw-44vp-jq7h
Privilege escalation (PR) from account through TipsPanel · Advisory · xwiki/xwiki-platform · GitHubPatch;Vendor Advisory
-
https://jira.xwiki.org/browse/XWIKI-20281
[XWIKI-20281] Privilege escalation (PR) from account through TipsPanel - XWiki.org JIRAExploit;Vendor Advisory
-
https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c28b3263#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178
XWIKI-20281: Improve tips rendering · xwiki/xwiki-platform@98208c5 · GitHubPatch
Jump to