Description

XWiki Platform suffers from an injection flaw in the SkinsCode.XWikiSkinsSheet, allowing attackers with view access to execute arbitrary code including Groovy and Python macros.

Remediation

Upgrade to XWiki versions 14.4.8, 14.10.4, 15.0-rc-1 pr higher to resolve this vulnerability.

References

XWiki Security Advisory

Related Vulnerabilities

Opencart Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2020-10596)

e107 Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2008-1989)

ZenCart Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2011-4547)

MySQL CVE-2024-21090 Vulnerability (CVE-2024-21090)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2019-10086)

Severity

High

Classification

CVE-2023-37462 CWE-74 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Remote Code Execution Known Vulnerabilities