CVE-2023-45138: Change Request Application vulnerable to XSS and remote code execution through change request title
First published: Thu Oct 12 2023(Updated: )
### Impact It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. ### Patches The vulnerability has been fixed in Change Request 1.9.2. ### Workarounds It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4. ### References * JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298 * Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution Thanks Michael Hamann for the report.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.xwiki.contrib.changerequest:application-changerequest-ui | >=0.11<1.9.2 | 1.9.2 |
| XWiki Change Request | >=0.11<1.9.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-f776-w9v2-7vfj
- https://nvd.nist.gov/vuln/detail/CVE-2023-45138
- https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4
- https://jira.xwiki.org/browse/CRAPP-298
- https://github.com/advisories/GHSA-f776-w9v2-7vfj (Advisory)
Frequently Asked Questions
What is CVE-2023-45138?
CVE-2023-45138 is a vulnerability in the Change Request application that allows users to perform script injection and remote code execution.
How severe is CVE-2023-45138?
CVE-2023-45138 is considered critical with a severity value of 10.
How can an attacker exploit CVE-2023-45138?
An attacker can exploit CVE-2023-45138 by inserting an appropriate title when creating a new Change Request, allowing them to perform script injection and remote code execution.
What is the affected software version?
The affected software version is org.xwiki.contrib.changerequest:application-changerequest-ui 0.11 up to (excluding) 1.9.2.
Is there a fix available for CVE-2023-45138?
Yes, a fix is available for CVE-2023-45138. Users should update to version 1.9.2 of org.xwiki.contrib.changerequest:application-changerequest-ui.
- collector/github-advisory-latest
- alias/GHSA-f776-w9v2-7vfj
- alias/CVE-2023-45138
- collector/github-advisory
- collector/nvd-cve
- collector/nvd-index
- collector/nvd-api
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/remedy
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/author
- agent/tags
- agent/first-publish-date
- agent/event
- agent/description
- package-manager/maven
- vendor/xwiki
- canonical/xwiki change request
- version/xwiki change request/0.11