CVE-2023-37909 : XWiki Platform is a generic wiki platform offering runtime services for applicat

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.8 and 15.3-rc-1 by adding proper escaping. As a workaround, the patch can be manually applied to the document `Menu.UIExtensionSheet`; only three lines need to be changed.

Published 2023-10-25 18:17:28

Updated 2023-10-31 19:06:12

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2023-37909

Xwiki » Xwiki
Versions from including (>=) 5.1 and before (<) 14.10.8
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-37909

EPSS FAQ

36.61%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-37909

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	3.1	6.0	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-37909

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2023-37909

https://jira.xwiki.org/browse/XWIKI-20746

[XWIKI-20746] Privilege escalation (PR) from account through Menu.UIExtensionSheet - XWiki.org JIRA
Exploit;Issue Tracking;Patch;Vendor Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v2rr-xw95-wcjx

Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet · Advisory · xwiki/xwiki-platform · GitHub
Exploit;Patch;Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773be

XWIKI-20746: Improve escaping in Menu.UIExtensionSheet · xwiki/xwiki-platform@9e8f080 · GitHub
Patch

Jump to

Vulnerability Details : CVE-2023-37909

Products affected by CVE-2023-37909

Exploit prediction scoring system (EPSS) score for CVE-2023-37909

CVSS scores for CVE-2023-37909

CWE ids for CVE-2023-37909

References for CVE-2023-37909