CVE-2023-29507
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/04/2023
Last modified:
06/02/2025
Description
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.
Impact
Base Score 3.x
9.10
Severity 3.x
CRITICAL
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:* | 14.4.1 (including) | 14.4.7 (excluding) |
| cpe:2.3:a:xwiki:xwiki:14.10:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
- https://jira.xwiki.org/browse/XWIKI-20380
- https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
- https://jira.xwiki.org/browse/XWIKI-20380
- https://jira.xwiki.org/browse/XWIKI-20380