CVE-2023-29518: Code injection from view right using Invitation.InvitationCommon in xwiki-platform
First published: Tue Apr 18 2023(Updated: )
### Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Invitation.InvitationCommon`. This page is installed by default. See https://jira.xwiki.org/browse/XWIKI-20283 for the reproduction steps. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf) on `Invitation.InvitationCommon`. ### References - https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf - https://jira.xwiki.org/browse/XWIKI-20283 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | <13.10.11 | |
| Xwiki Xwiki | >=14.0<14.4.8 | |
| Xwiki Xwiki | >=14.5<14.10.1 | |
| maven/org.xwiki.platform:xwiki-platform-invitation-ui | >=14.5<14.10.1 | 14.10.1 |
| maven/org.xwiki.platform:xwiki-platform-invitation-ui | >=14.0-rc-1<14.4.8 | 14.4.8 |
| maven/org.xwiki.platform:xwiki-platform-invitation-ui | >=2.5-m-1<13.10.11 | 13.10.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-px54-3w5j-qjg9
- https://jira.xwiki.org/browse/XWIKI-20283
- https://nvd.nist.gov/vuln/detail/CVE-2023-29518
- https://github.com/advisories/GHSA-px54-3w5j-qjg9 (Advisory)
Frequently Asked Questions
What is CVE-2023-29518?
CVE-2023-29518 is a vulnerability in XWiki Platform that allows any user with view rights to execute arbitrary code, leading to full access to the XWiki installation.
How severe is CVE-2023-29518?
CVE-2023-29518 has a severity rating of 8.8 out of 10, indicating a critical vulnerability.
How does CVE-2023-29518 affect XWiki?
CVE-2023-29518 affects XWiki versions up to 13.10.11, versions between 14.0 and 14.4.8, and versions between 14.5 and 14.10.1.
What is the root cause of CVE-2023-29518?
The root cause of CVE-2023-29518 is the improper escaping of `Invitation.InviteParameters` in XWiki.
How can I fix CVE-2023-29518?
To fix CVE-2023-29518, it is recommended to upgrade to a version of XWiki that includes the fix mentioned in the references.
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-px54-3w5j-qjg9
- alias/CVE-2023-29518
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/author
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/title
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- agent/tags
- agent/first-publish-date
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/14.0
- version/xwiki xwiki/14.5
- package-manager/maven