Vulnerability Details : CVE-2023-37462
Potential exploit
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable. See the linked GHSA for instructions on testing an installation. This issue has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1. Users are advised to upgrade. The fix commit `d9c88ddc` can also be applied manually to the impacted document `SkinsCode.XWikiSkinsSheet` and users unable to upgrade are advised to manually patch their installations.
Vulnerability category: Execute code
Products affected by CVE-2023-37462
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-37462
91.76%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-37462
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
|
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2023-37462
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: security-advisories@github.com (Primary)
-
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").Assigned by: security-advisories@github.com (Primary)
References for CVE-2023-37462
-
https://jira.xwiki.org/browse/XWIKI-20457
[XWIKI-20457] Privilege escalation (PR) from view right via SkinsCode.XWikiSkinsSheet - XWiki.org JIRAExploit;Issue Tracking;Vendor Advisory
-
https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29
XWIKI-20457: Improve escaping in SkinsCode.XWikiSkinsSheet · xwiki/xwiki-platform@d9c88dd · GitHubPatch
-
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjg
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-skin-ui · Advisory · xwiki/xwiki-platform · GitHubExploit;Issue Tracking;Patch;Vendor Advisory
Jump to