Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. There are no known workarounds for for this vulnerability.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hgpw-6p4h-j6h5
Patch x_refsource_misc
https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be
Issue Tracking, Vendor Advisory x_refsource_misc
https://jira.xwiki.org/browse/XWIKI-20386
Scores
CVSS v3
9.6
EPSS
0.0325
EPSS Percentile
87.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-352
CWE-94
Status
published
Products (2)
org.xwiki.platform/xwiki-platform-oldcore
1.0 - 14.10.7Maven
xwiki/xwiki
1.0 - 14.10.7
Published
Nov 07, 2023
Tracked Since
Feb 18, 2026