CVE-2020-15252: RCE in XWiki
First published: Fri Oct 16 2020(Updated: )
In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is patched in XWiki 12.5 and XWiki 11.10.6.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | <11.10.6 | |
| Xwiki Xwiki | >=12.0<12.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/author
- agent/severity
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/12.0