CVE-2020-15171: Users with SCRIPT rights can execute arbitrary code in XWiki
First published: Thu Sep 10 2020(Updated: )
In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only workaround is to give SCRIPT right only to trusted users.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki | <11.10.5 | |
| Xwiki | >=12.0.0<12.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2020-15171?
CVE-2020-15171 has a high severity rating allowing users with SCRIPT rights to execute arbitrary code.
How do I fix CVE-2020-15171?
To resolve CVE-2020-15171, upgrade XWiki to version 11.10.5 or 12.2.1 or later.
Who is affected by CVE-2020-15171?
CVE-2020-15171 affects all versions of XWiki prior to 11.10.5 and between 12.0.0 and 12.2.1 inclusive.
What are the implications of CVE-2020-15171?
CVE-2020-15171 can allow unauthorized users to potentially take control of the application server and execute arbitrary code.
Is CVE-2020-15171 exploitable remotely?
Yes, CVE-2020-15171 is exploitable remotely by any user with SCRIPT access rights.
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/author
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/xwiki
- canonical/xwiki
- version/xwiki/12.0.0