CVE-2023-29507

Published: Apr 16, 2023Modified: Feb 6, 2025

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

Affected (2)

Products: Xwiki: Xwiki

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Xwiki Xwiki	From 14.4.1 to 14.4.7
Xwiki Xwiki	Version 14.10 rc1

Related CWEs

Incorrect Use of Privileged APIs

The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

References (7)

https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83

Source: security-advisories@github.com

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c

Source: security-advisories@github.com

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-20380

Source: security-advisories@github.com

Issue Tracking

https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://jira.xwiki.org/browse/XWIKI-20380

Source: af854a3a-2127-422b-91ae-364da2661108

Issue Tracking

https://jira.xwiki.org/browse/XWIKI-20380

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Issue Tracking

Timeline

No history available yet.