Description
XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.
Scores
CVSS v3
9.9
EPSS
0.0183
EPSS Percentile
83.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-95
CWE-94
Status
published
Products (4)
org.xwiki.platform/xwiki-platform-like-ui
12.9-rc-1 - 14.4.8Maven
xwiki/xwiki
12.9 rc1
xwiki/xwiki
15.0 (2 CPE variants)
xwiki/xwiki
12.9 - 14.4.8
Published
Jun 23, 2023
Tracked Since
Feb 18, 2026