CVE-2023-29507
CRITICALXWiki 14.4.1-14.4.6 and 14.5-14.9 - Privilege Escalation via Document Script API
Title source: llmDescription
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
Issue Tracking x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-20380
Scores
CVSS v3
9.1
EPSS
0.0090
EPSS Percentile
54.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-648
Status
published
Products (3)
org.xwiki.platform/xwiki-platform-oldcore
14.5 - 14.10Maven
xwiki/xwiki
14.10 rc1
xwiki/xwiki
14.4.1 - 14.4.7
Published
Apr 16, 2023
Tracked Since
Feb 18, 2026