CVE-2023-29507

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-29507
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

7.2 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 Patch
https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c Vendor Advisory
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20380 Issue Tracking
https://jira.xwiki.org/browse/XWIKI-20380 Issue Tracking
https://jira.xwiki.org/browse/XWIKI-20380 Issue Tracking
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:14.10:rc1:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
History

06 Feb 2025, 17:15

Type Values Removed Values Added
References (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c - Vendor Advisory () https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c - Vendor Advisory
References (MISC) https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 - Patch () https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 - Patch
References (MISC) https://jira.xwiki.org/browse/XWIKI-20380 - Issue Tracking () https://jira.xwiki.org/browse/XWIKI-20380 - Issue Tracking

26 Apr 2023, 17:51

Type Values Removed Values Added
CPE cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:14.10:rc1:*:*:*:*:*:*
First Time Xwiki
Xwiki xwiki
CWE CWE-648 NVD-CWE-Other
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.2
References (MISC) https://jira.xwiki.org/browse/XWIKI-20380 - (MISC) https://jira.xwiki.org/browse/XWIKI-20380 - Issue Tracking
References (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c - (MISC) https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c - Vendor Advisory
References (MISC) https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 - (MISC) https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 - Patch

16 Apr 2023, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-04-16 07:15

Updated : 2025-02-06 17:15

NVD link : CVE-2023-29507

Mitre link : CVE-2023-29507

JSON object : View

Products Affected

xwiki

  • xwiki
CWE
NVD-CWE-Other