CVE-2020-15252: RCE in XWiki
First published: Fri Oct 16 2020(Updated: )
In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is patched in XWiki 12.5 and XWiki 11.10.6.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki | <11.10.6 | |
| Xwiki | >=12.0<12.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2020-15252?
CVE-2020-15252 has a critical severity rating due to its potential for arbitrary code execution.
How do I fix CVE-2020-15252?
To fix CVE-2020-15252, upgrade to XWiki versions 12.5, 11.10.6, or later.
Who is affected by CVE-2020-15252?
CVE-2020-15252 affects any user with SCRIPT rights in XWiki versions prior to 12.5 and 11.10.6.
What type of vulnerability is CVE-2020-15252?
CVE-2020-15252 is a remote code execution vulnerability that allows unauthorized access to the application server context.
What versions of XWiki are vulnerable to CVE-2020-15252?
XWiki versions before 12.5 and between 12.0 and 12.5, as well as all versions before 11.10.6, are vulnerable to CVE-2020-15252.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/author
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- vendor/xwiki
- canonical/xwiki
- version/xwiki/12.0