CVE-2023-35150

CRITICAL

Xwiki < 14.4.8 - Code Injection

Title source: rule

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.

References (3)

[Vendor Advisory] https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w

[Patch, Vendor Advisory] https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Patch, Vendor Advisory] https://jira.xwiki.org/browse/XWIKI-20285

Scores

CVSS v3 9.9

EPSS 0.3463

EPSS Percentile 97.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-95 CWE-94

Status published

Products (3)

org.xwiki.platform/xwiki-platform-invitation-ui 2.4-m-2 - 14.4.8Maven

xwiki/xwiki 2.4 milestone2

xwiki/xwiki 2.5 - 14.4.8

Published Jun 23, 2023

Tracked Since Feb 18, 2026