Description

XWiki Platform suffers from an injection flaw in the SkinsCode.XWikiSkinsSheet, allowing attackers with view access to execute arbitrary code including Groovy and Python macros.

Remediation

Upgrade to XWiki versions 14.4.8, 14.10.4, 15.0-rc-1 pr higher to resolve this vulnerability.

References

XWiki Security Advisory

Related Vulnerabilities

MySQL CVE-2020-14812 Vulnerability (CVE-2020-14812)

MediaWiki Observable Differences in Behavior to Error Inputs Vulnerability (CVE-2020-35624)

MySQL CVE-2019-2503 Vulnerability (CVE-2019-2503)

MediaWiki Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2013-6455)

Oracle JRE CVE-2013-5775 Vulnerability (CVE-2013-5775)

Severity

High

Classification

CVE-2023-37462 CWE-74 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Remote Code Execution Known Vulnerabilities