CVE-2021-32621

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.

Related CPE's

a xwiki xwiki 3.0 -******

a xwiki xwiki 3.0 milestone_3 ******

a xwiki xwiki 3.0 rc1 ******

a xwiki xwiki ********

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc

Third Party Advisory

https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc

PatchThird Party Advisory

https://jira.xwiki.org/browse/XWIKI-17794

Permissions RequiredVendor Advisory

CvssV3 impact

BaseSeverity	HIGH
ConfidentialityImpact	HIGH
AttackComplexity	LOW
Scope	UNCHANGED
AttackVector	NETWORK
AvailabilityImpact	HIGH
IntegrityImpact	HIGH
PrivilegesRequired	LOW
BaseScore	8.8
VectorString	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version	3.1
UserInteraction	NONE

CvssV2 impact

AccessComplexity	LOW
ConfidentialityImpact	PARTIAL
AvailabilityImpact	PARTIAL
IntegrityImpact	PARTIAL
BaseScore	6.5
VectorString	AV:N/AC:L/Au:S/C:P/I:P/A:P
Version	2.0
AccessVector	NETWORK
Authentication	SINGLE

Created by Yello

About Severity.io