CVE-2023-26056 - OpenCVE

XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Xwiki	Xwiki

Configuration 1 [-]

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki:3.0:milestone1::::::
	cpe:2.3:a:xwiki:xwiki:3.0:milestone2::::::
	cpe:2.3:a:xwiki:xwiki:3.0:milestone3::::::

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/4b75f212c2dd2dfc5fb5726c7830c6dbc9a425c6	Patch
https://github.com/xwiki/xwiki-platform/commit/bd34ad6710ed72304304a3d5fec38b7cc050ef3b	Patch
https://github.com/xwiki/xwiki-platform/commit/dd3f4735b41971b3afc3f3aedf6664b4e8be4894	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-859x-p6jp-rc2w	Exploit Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-19856	Exploit Issue Tracking Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-02T18:44:00.363Z

Updated: 2023-03-02T18:44:00.363Z

Reserved: 2023-02-17T22:44:03.151Z

Link: CVE-2023-26056

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-03-02T19:15:10.957

Modified: 2023-03-13T16:15:29.717

Link: CVE-2023-26056

JSON object: View

Redhat Information

No data.

CWE

CWE-863

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-26056", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-17T22:44:03.151Z", "datePublished": "2023-03-02T18:44:00.363Z", "dateUpdated": "2023-03-02T18:44:00.363Z"}, "containers": {"cna": {"title": "XWiki Platform allows macro execution as any user without programming rights through the context macro", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-859x-p6jp-rc2w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-859x-p6jp-rc2w"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/4b75f212c2dd2dfc5fb5726c7830c6dbc9a425c6", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/4b75f212c2dd2dfc5fb5726c7830c6dbc9a425c6"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/bd34ad6710ed72304304a3d5fec38b7cc050ef3b", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/bd34ad6710ed72304304a3d5fec38b7cc050ef3b"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/dd3f4735b41971b3afc3f3aedf6664b4e8be4894", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/dd3f4735b41971b3afc3f3aedf6664b4e8be4894"}, {"name": "https://jira.xwiki.org/browse/XWIKI-19856", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-19856"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 3.0-milestone-1, < 13.10.10", "status": "affected"}, {"version": ">= 14.0-rc-1, < 14.4.5", "status": "affected"}, {"version": ">= 14.5, < 14.8-rc-1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-02T18:44:00.363Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue."}], "source": {"advisory": "GHSA-859x-p6jp-rc2w", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "D1595259-D265-4602-95D3-C6C8F83EBEF6", "versionEndExcluding": "13.10.10", "versionStartIncluding": "3.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD91ED5A-574E-416A-B503-04D5EBD7FCB5", "versionEndExcluding": "14.4.5", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "DD83BA23-29DC-4430-A6DF-02D03BDFC983", "versionEndExcluding": "14.8", "versionStartIncluding": "14.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:3.0:milestone1:*:*:*:*:*:*", "matchCriteriaId": "7BEE764B-ED54-43D8-9748-DE57B5F1D701", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:3.0:milestone2:*:*:*:*:*:*", "matchCriteriaId": "90C4A1EA-8B6A-4FE8-985B-EB924DA3A826", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:3.0:milestone3:*:*:*:*:*:*", "matchCriteriaId": "A45A230D-909F-42D3-836D-95660805B094", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue."}], "id": "CVE-2023-26056", "lastModified": "2023-03-13T16:15:29.717", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-03-02T19:15:10.957", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xwiki/xwiki-platform/commit/4b75f212c2dd2dfc5fb5726c7830c6dbc9a425c6"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xwiki/xwiki-platform/commit/bd34ad6710ed72304304a3d5fec38b7cc050ef3b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xwiki/xwiki-platform/commit/dd3f4735b41971b3afc3f3aedf6664b4e8be4894"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-859x-p6jp-rc2w"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-19856"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}