critical
9.9
CWE
94 95
Advisory Published
CVE Published
Updated

CVE-2023-35150: XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation application

First published: Tue Jun 20 2023(Updated: )

### Impact Any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. See the example below: Open `<xwiki-host>/xwiki/bin/view/%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=Invitation.InvitationGuestActions&xpage=view` where `<xwiki-host>` is the URL of your XWiki installation. ### Patches The problem as been patching on XWiki 15.0, 14.10.4 and 14.4.8. ### Workarounds It is possible to partially fix the issue by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a). Note that some additional issue can remain and can be fixed automatically by a migration. Hence, it is advised to upgrade to one of the patched version instead of patching manually. ### References - https://jira.xwiki.org/browse/XWIKI-20285 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Xwiki Xwiki>=2.5<14.4.8
Xwiki Xwiki>=14.10<14.10.4
Xwiki Xwiki=2.4-milestone2
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=15.0-rc-1<15.0
15.0
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=14.5<14.10.4
14.10.4
maven/org.xwiki.platform:xwiki-platform-invitation-ui>=2.4-m-2<14.4.8
14.4.8

Remedy

https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a

Remedy

https://jira.xwiki.org/browse/XWIKI-20285

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2023-35150?

    CVE-2023-35150 is a vulnerability in XWiki Platform that allows any user with view rights on any document to execute code with programming rights, leading to remote code execution.

  • What is the severity of CVE-2023-35150?

    CVE-2023-35150 has a severity level of critical.

  • How does CVE-2023-35150 affect XWiki Platform?

    CVE-2023-35150 affects XWiki Platform versions 2.40m-2 to 14.4.8, 14.10.4, and 15.0.

  • Is there a fix for CVE-2023-35150?

    Yes, the fix for CVE-2023-35150 is available in XWiki Platform versions 14.4.8, 14.10.4, and 15.0.

  • Where can I find more information about CVE-2023-35150?

    You can find more information about CVE-2023-35150 in the references provided: [Reference 1](https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a), [Reference 2](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w), [Reference 3](https://jira.xwiki.org/browse/XWIKI-20285).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203