CVE-2023-26471
Last modified
CVE-2023-26471 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. EPSS estimates a 0.92% chance of exploitation in the next 30 days.
Description
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Xwiki | Xwiki | >= 11.6, < 13.10.10 | — |
| Xwiki | Xwiki | >= 14.0, < 14.4.6 | — |
| Xwiki | Xwiki | >= 14.5, < 14.9 | — |
| Xwiki | Xwiki | 11.6 | Rc1 |
References
- https://jira.xwiki.org/browse/XWIKI-20234Exploit, Issue Tracking, Patch, Vendor Advisory
- https://jira.xwiki.org/browse/XWIKI-20234Exploit, Issue Tracking, Patch, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-26471?
How severe is CVE-2023-26471?
How do I fix CVE-2023-26471?
Are you affected by CVE-2023-26471?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST