CVE-2023-29526: Async and display macro allow displaying and interacting with any document in restricted mode
First published: Tue Apr 18 2023(Updated: )
### Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content ```{{async}}{{display reference="Menu.WebHome" /}}{{/async}}``` 3. Open the comments viewer from the menu (appends ?viewer=comments to the URL) -> the `Menu.WebHome` is displayed while the expectation would be to have an error that the current user is not allowed to see it ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. ### Workarounds There is no known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20394 https://jira.xwiki.org/browse/XRENDERING-694 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | >=10.11.1<13.10.11 | |
| Xwiki Xwiki | >=14.0<14.4.8 | |
| Xwiki Xwiki | >=14.5<14.10.3 | |
| maven/org.xwiki.platform:xwiki-platform-rendering-async-macro | >=14.5<14.10.3 | 14.10.3 |
| maven/org.xwiki.platform:xwiki-platform-rendering-async-macro | >=14.0-rc-1<14.4.8 | 14.4.8 |
| maven/org.xwiki.platform:xwiki-platform-rendering-async-macro | >=10.11.1<13.10.11 | 13.10.11 |
| maven/org.xwiki.platform:xwiki-platform-oldcore | >=14.5<14.10.3 | 14.10.3 |
| maven/org.xwiki.platform:xwiki-platform-oldcore | >=14.0-rc-1<14.4.8 | 14.4.8 |
| maven/org.xwiki.platform:xwiki-platform-oldcore | >=10.11.1<13.10.11 | 13.10.11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-29526?
CVE-2023-29526 is a vulnerability in XWiki Platform that allows users to display or interact with pages they do not have access to.
How does CVE-2023-29526 affect XWiki Platform?
CVE-2023-29526 affects XWiki Platform versions 10.11.1 to 13.10.11, versions 14.0 to 14.4.8, and versions 14.5 to 14.10.3.
What is the severity of CVE-2023-29526?
CVE-2023-29526 has a severity rating of 8.8 (Critical).
How can I fix CVE-2023-29526?
To fix CVE-2023-29526, it is recommended to upgrade XWiki Platform to a version that is not affected by the vulnerability.
Are there any references for CVE-2023-29526?
Yes, you can find references for CVE-2023-29526 at the following links: [link1](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gpq5-7p34-vqx5), [link2](https://jira.xwiki.org/browse/XRENDERING-694), [link3](https://jira.xwiki.org/browse/XWIKI-20394)
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-gpq5-7p34-vqx5
- alias/CVE-2023-29526
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/title
- agent/severity
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/10.11.1
- version/xwiki xwiki/14.0
- version/xwiki xwiki/14.5
- package-manager/maven