CVE-2023-35152

CRITICAL

XWiki Platform 12.9-14.4.8 - Authenticated Eval Injection via First Name Field

Title source: llm

Description

XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.

References (5)

Core 5

Core References

Vendor Advisory x_refsource_confirm

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm

Patch, Vendor Advisory x_refsource_misc

https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39

View Patch ZIP pw:eip

Patch, Vendor Advisory x_refsource_misc

https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49

View Patch ZIP pw:eip

Issue Tracking, Vendor Advisory x_refsource_misc

https://jira.xwiki.org/browse/XWIKI-19900

Issue Tracking, Vendor Advisory x_refsource_misc

https://jira.xwiki.org/browse/XWIKI-20611

Scores

CVSS v3 9.9

EPSS 0.0083

EPSS Percentile 52.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-95 CWE-94

Status published

Products (4)

org.xwiki.platform/xwiki-platform-like-ui 12.9-rc-1 - 14.4.8Maven

xwiki/xwiki 12.9 rc1

xwiki/xwiki 15.0 (2 CPE variants)

xwiki/xwiki 12.9 - 14.4.8

Published Jun 23, 2023

Tracked Since Feb 18, 2026