CVE-2023-30537
CRITICALXWiki 12.6.6-13.10.10 - Authenticated Remote Code Execution via FlamingoThemesCode.WebHome Style Property
Title source: llmDescription
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.
References (3)
Core 3
Core References
Exploit, Patch, Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8
Exploit, Issue Tracking, Patch, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-20280
Scores
CVSS v3
9.9
EPSS
0.0104
EPSS Percentile
59.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-95
CWE-94
Status
published
Products (2)
org.xwiki.platform/xwiki-platform-flamingo-theme-ui
12.6.6 - 13.10.11Maven
xwiki/xwiki
12.6.6 - 13.10.11
Published
Apr 16, 2023
Tracked Since
Feb 18, 2026