CVE-2023-29204
Last modified
CVE-2023-29204 is a medium-severity vulnerability rated 6.1/10 on the CVSS scale. XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. EPSS estimates a 1.76% chance of exploitation in the next 30 days.
Description
XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`). It was also possible to bypass it when using URL such as `http:/mydomain.com`. The problem has been patched on XWiki 13.10.10, 14.4.4 and 14.8RC1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Xwiki | Xwiki | >= 6.0, < 13.10.10 | — |
| Xwiki | Xwiki | >= 14.4.0, < 14.4.4 | — |
| Xwiki | Xwiki | >= 14.5, <= 14.7 | — |
| Xwiki | Xwiki | 6.0 | Rc1 |
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xwph-x6xj-wggvExploit, Patch, Vendor Advisory
- https://jira.xwiki.org/browse/XWIKI-10309Exploit, Issue Tracking
- https://jira.xwiki.org/browse/XWIKI-19994Exploit, Issue Tracking
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xwph-x6xj-wggvExploit, Patch, Vendor Advisory
- https://jira.xwiki.org/browse/XWIKI-10309Exploit, Issue Tracking
- https://jira.xwiki.org/browse/XWIKI-19994Exploit, Issue Tracking
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2023-29204?
How severe is CVE-2023-29204?
How do I fix CVE-2023-29204?
Are you affected by CVE-2023-29204?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST