Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a workaround, setting the right of the page Filter.WebHome and making sure only the main wiki administrators can view the application installed on main wiki or edit the page and apply the changed described in commit fb49b4f.
References (3)
Core 3
Core References
Patch, Third Party Advisory
https://github.com/xwiki/xwiki-platform/commit/fb49b4f289ee28e45cfada8e97e320cd3ed27113
Patch, Third Party Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q6jp-gcww-8v2j
Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-19758
Scores
CVSS v3
9.6
EPSS
0.0973
EPSS Percentile
93.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (3)
org.xwiki.platform/xwiki-platform-filter-ui
0 - 13.10.8Maven
xwiki/xwiki
14.5
xwiki/xwiki
< 13.10.8
Published
Nov 22, 2022
Tracked Since
Feb 18, 2026