cvelistv5 - cve-2023-29510

cve-2023-29510

Vulnerability from cvelistv5

Published

2023-04-18 23:42

Modified

2025-02-06 17:17

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don't have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions.

References

URL	Tags
security-advisories@github.com	https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643	Patch
security-advisories@github.com	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw	Exploit, Patch, Vendor Advisory
security-advisories@github.com	https://jira.xwiki.org/browse/XWIKI-19749	Exploit, Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw	Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jira.xwiki.org/browse/XWIKI-19749	Exploit, Issue Tracking, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	xwiki	xwiki-platform	Version: < 14.10.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T14:07:46.409Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw"
          },
          {
            "name": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643"
          },
          {
            "name": "https://jira.xwiki.org/browse/XWIKI-19749",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jira.xwiki.org/browse/XWIKI-19749"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-29510",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-06T17:17:23.076211Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-06T17:17:37.501Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "xwiki-platform",
          "vendor": "xwiki",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 14.10.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-04-18T23:42:44.396Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw"
        },
        {
          "name": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643"
        },
        {
          "name": "https://jira.xwiki.org/browse/XWIKI-19749",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jira.xwiki.org/browse/XWIKI-19749"
        }
      ],
      "source": {
        "advisory": "GHSA-4v38-964c-xjmw",
        "discovery": "UNKNOWN"
      },
      "title": "Code injection via unescaped translations in xwiki-platform"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-29510",
    "datePublished": "2023-04-18T23:42:44.396Z",
    "dateReserved": "2023-04-07T18:56:54.626Z",
    "dateUpdated": "2025-02-06T17:17:37.501Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-29510\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-04-19T00:15:08.023\",\"lastModified\":\"2024-11-21T07:57:12.180\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"14.10.2\",\"matchCriteriaId\":\"5F4B6BCB-6DC3-4721-A7DE-90710CBDB879\"}]}]}],\"references\":[{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-19749\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://jira.xwiki.org/browse/XWIKI-19749\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw\", \"name\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643\", \"name\": \"https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-19749\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-19749\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T14:07:46.409Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-29510\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-06T17:17:23.076211Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-06T17:17:32.325Z\"}}], \"cna\": {\"title\": \"Code injection via unescaped translations in xwiki-platform\", \"source\": {\"advisory\": \"GHSA-4v38-964c-xjmw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 10, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"xwiki\", \"product\": \"xwiki-platform\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 14.10.2\"}]}], \"references\": [{\"url\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw\", \"name\": \"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643\", \"name\": \"https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://jira.xwiki.org/browse/XWIKI-19749\", \"name\": \"https://jira.xwiki.org/browse/XWIKI-19749\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-04-18T23:42:44.396Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-29510\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-06T17:17:37.501Z\", \"dateReserved\": \"2023-04-07T18:56:54.626Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-04-18T23:42:44.396Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-4v38-964c-xjmw

Vulnerability from github

Published

2023-04-19 18:26

Modified

2023-04-19 18:26

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

Code injection via unescaped translations in xwiki-platform

Details

Impact

In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default.

The following describes a proof of concept exploit to demonstrate this vulnerability:

Edit the user profile with the wiki editor and set the content to error={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}}
Use the object editor to add an object of type XWiki.TranslationDocumentClass with scope USER.
Open the document WikiManager.AdminWikiDescriptorSheet.

The expected result would be that a message with title {{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}} is displayed while in fact an error that the HTML macro couldn't be executed is displayed, followed by the text "hello from groovy!" and some raw HTML, showing that the Groovy macro has been executed.

Patches

A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don't have script right by default anymore starting with XWiki 14.10.

Workarounds

There are no known workarounds apart from upgrading to a patched versions.

References

https://jira.xwiki.org/browse/XWIKI-19749
https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-administration-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3-milestone-2"
            },
            {
              "fixed": "14.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29510"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-19T18:26:35Z",
    "nvd_published_at": "2023-04-19T00:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nIn XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default.\n\nThe following describes a proof of concept exploit to demonstrate this vulnerability:\n\n1. Edit the user profile with the wiki editor and set the content to\n```\nerror={{/html}} {{async async=\"true\" cached=\"false\" context=\"doc.reference\"}}{{groovy}}println(\"hello from groovy!\"){{/groovy}}{{/async}}\n```\n2. Use the object editor to add an object of type `XWiki.TranslationDocumentClass` with scope `USER`.\n3. Open the document `WikiManager.AdminWikiDescriptorSheet`.\n\nThe expected result would be that a message with title `{{/html}} {{async async=\"true\" cached=\"false\" context=\"doc.reference\"}}{{groovy}}println(\"hello from groovy!\"){{/groovy}}{{/async}}` is displayed while in fact an error that the HTML macro couldn\u0027t be executed is displayed, followed by the text \"hello from groovy!\" and some raw HTML, showing that the Groovy macro has been executed.\n\n### Patches\n\nA mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10.\n\n### Workarounds\n\nThere are no known workarounds apart from upgrading to a patched versions.\n\n### References\n\n* https://jira.xwiki.org/browse/XWIKI-19749\n* https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)",
  "id": "GHSA-4v38-964c-xjmw",
  "modified": "2023-04-19T18:26:35Z",
  "published": "2023-04-19T18:26:35Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29510"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-19749"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Code injection via unescaped translations in xwiki-platform"
}

gsd-2023-29510

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Aliases

CVE-2023-29510

Aliases

CVE-2023-29510

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-29510",
    "id": "GSD-2023-29510"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-29510"
      ],
      "details": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions.",
      "id": "GSD-2023-29510",
      "modified": "2023-12-13T01:20:57.221586Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-29510",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "xwiki-platform",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c 14.10.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "xwiki"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 10,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-74",
                "lang": "eng",
                "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw",
            "refsource": "MISC",
            "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw"
          },
          {
            "name": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643",
            "refsource": "MISC",
            "url": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643"
          },
          {
            "name": "https://jira.xwiki.org/browse/XWIKI-19749",
            "refsource": "MISC",
            "url": "https://jira.xwiki.org/browse/XWIKI-19749"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-4v38-964c-xjmw",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[4.3-milestone-2,14.10.2)",
          "affected_versions": "All versions starting from 4.3-milestone-2 before 14.10.2",
          "cwe_ids": [
            "CWE-1035",
            "CWE-74",
            "CWE-78",
            "CWE-937"
          ],
          "date": "2023-04-19",
          "description": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions.",
          "fixed_versions": [
            "14.10.2"
          ],
          "identifier": "CVE-2023-29510",
          "identifiers": [
            "GHSA-4v38-964c-xjmw",
            "CVE-2023-29510"
          ],
          "not_impacted": "All versions before 4.3-milestone-2, all versions starting from 14.10.2",
          "package_slug": "maven/org.xwiki.platform/xwiki-platform-administration-ui",
          "pubdate": "2023-04-19",
          "solution": "Upgrade to version 14.10.2 or above.",
          "title": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
          "urls": [
            "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-29510",
            "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643",
            "https://jira.xwiki.org/browse/XWIKI-19749",
            "https://github.com/advisories/GHSA-4v38-964c-xjmw"
          ],
          "uuid": "d147fe2f-1e2d-4e5d-a5fa-ab5fc6e3aac9"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "14.10.2",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-29510"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-74"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643"
            },
            {
              "name": "https://jira.xwiki.org/browse/XWIKI-19749",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://jira.xwiki.org/browse/XWIKI-19749"
            },
            {
              "name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Patch",
                "Vendor Advisory"
              ],
              "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-04-28T19:20Z",
      "publishedDate": "2023-04-19T00:15Z"
    }
  }
}

fkie_cve-2023-29510

Vulnerability from fkie_nvd

Published

2023-04-19 00:15

Modified

2024-11-21 07:57

Severity ?

9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643	Patch
security-advisories@github.com	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw	Exploit, Patch, Vendor Advisory
security-advisories@github.com	https://jira.xwiki.org/browse/XWIKI-19749	Exploit, Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw	Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://jira.xwiki.org/browse/XWIKI-19749	Exploit, Issue Tracking, Patch, Vendor Advisory

Impacted products

	Vendor	Product	Version
	xwiki	xwiki	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F4B6BCB-6DC3-4721-A7DE-90710CBDB879",
              "versionEndExcluding": "14.10.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user\u0027s own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. This means that regular users cannot exploit this anymore as users don\u0027t have script right by default anymore starting with XWiki 14.10. There are no known workarounds apart from upgrading to a patched versions."
    }
  ],
  "id": "CVE-2023-29510",
  "lastModified": "2024-11-21T07:57:12.180",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-04-19T00:15:08.023",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://jira.xwiki.org/browse/XWIKI-19749"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://jira.xwiki.org/browse/XWIKI-19749"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2023-29510

Vulnerability from cvelistv5

ghsa-4v38-964c-xjmw

Vulnerability from github

Impact

Patches

Workarounds

References

For more information

gsd-2023-29510

Vulnerability from gsd

fkie_cve-2023-29510

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature