CVE-2023-26475 - OpenCVE

XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Xwiki	Xwiki

Configuration 1 [-]

OR	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki::::::::
	cpe:2.3:a:xwiki:xwiki:2.3:milestone1::::::

References

Link	Resource
https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7	Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr	Exploit Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20360	Exploit Issue Tracking Patch Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20384	Issue Tracking Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-03-02T18:07:04.129Z

Updated: 2023-03-02T18:07:04.129Z

Reserved: 2023-02-23T23:22:58.573Z

Link: CVE-2023-26475

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-03-02T19:15:11.470

Modified: 2023-03-13T17:53:39.227

Link: CVE-2023-26475

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-26475", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2023-02-23T23:22:58.573Z", "datePublished": "2023-03-02T18:07:04.129Z", "dateUpdated": "2023-03-02T18:07:04.129Z"}, "containers": {"cna": {"title": "XWiki Platform vulnerable to Remote Code Execution in Annotations", "problemTypes": [{"descriptions": [{"cweId": "CWE-270", "lang": "en", "description": "CWE-270: Privilege Context Switching Error", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr"}, {"name": "https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7", "tags": ["x_refsource_MISC"], "url": "https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7"}, {"name": "https://jira.xwiki.org/browse/XWIKI-20360", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-20360"}, {"name": "https://jira.xwiki.org/browse/XWIKI-20384", "tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-20384"}], "affected": [{"vendor": "xwiki", "product": "xwiki-platform", "versions": [{"version": ">= 2.3-milestone-1, < 13.10.11", "status": "affected"}, {"version": ">= 14.0-rc-1, < 14.4.7", "status": "affected"}, {"version": ">= 14.5, < 14.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-03-02T18:07:04.129Z"}, "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade."}], "source": {"advisory": "GHSA-h6f5-8jj5-cxhr", "discovery": "UNKNOWN"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "E2345A26-DC22-4A19-9CE0-9DCE395C7996", "versionEndExcluding": "13.10.11", "versionStartExcluding": "2.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA3A5151-58FB-48CF-BFFB-5688608200C8", "versionEndExcluding": "14.4.7", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "569EE28C-5C86-467F-A153-DD4B9BF0053D", "versionEndExcluding": "14.10", "versionStartIncluding": "14.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:2.3:milestone1:*:*:*:*:*:*", "matchCriteriaId": "0075AEEF-E71A-4BE1-9062-1F304E734E09", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade."}], "id": "CVE-2023-26475", "lastModified": "2023-03-13T17:53:39.227", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-03-02T19:15:11.470", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-20360"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-20384"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-269"}, {"lang": "en", "value": "CWE-270"}], "source": "security-advisories@github.com", "type": "Secondary"}]}