Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.

Related CPE's

a

xwiki

xwiki

5

References

https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc

PatchThird Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc

Third Party Advisory

https://jay-from-future.github.io/cve/2021/06/17/xwiki-rce-cve.html

ExploitThird Party Advisory

https://jira.xwiki.org/browse/XWIKI-17794

Permissions RequiredVendor Advisory

Weaknesses

[email protected]

Primary
CWE-94

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.8 · High

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2021-05-28T21:15:08.980

4 years ago

Last modified

2023-09-29T11:39:46.370

1 year ago