Description

XWiki Platform suffers from an injection flaw in the SkinsCode.XWikiSkinsSheet, allowing attackers with view access to execute arbitrary code including Groovy and Python macros.

Remediation

Upgrade to XWiki versions 14.4.8, 14.10.4, 15.0-rc-1 pr higher to resolve this vulnerability.

References

XWiki Security Advisory

Related Vulnerabilities

Oracle Database Server CVE-2016-5555 Vulnerability (CVE-2016-5555)

MySQL CVE-2018-2586 Vulnerability (CVE-2018-2586)

Oracle Database Server CVE-2009-1985 Vulnerability (CVE-2009-1985)

Moodle Other Vulnerability (CVE-2007-1647)

PHP Improper Input Validation Vulnerability (CVE-2015-4604)

Severity

High

Classification

CVE-2023-37462 CWE-74 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Remote Code Execution Known Vulnerabilities