CVE-2023-30537

CRITICAL

Xwiki < 13.10.11 - Code Injection

Title source: rule

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.

References (3)

[Exploit, Patch, Vendor Advisory] https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp

[Patch] https://github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://jira.xwiki.org/browse/XWIKI-20280

Scores

CVSS v3 9.9

EPSS 0.1446

EPSS Percentile 94.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-95 CWE-94

Status published

Products (2)

org.xwiki.platform/xwiki-platform-flamingo-theme-ui 12.6.6 - 13.10.11Maven

xwiki/xwiki 12.6.6 - 13.10.11

Published Apr 16, 2023

Tracked Since Feb 18, 2026