← Back

CVE-2023-40572

nvd nist
Published: Aug 24, 2023Modified: Nov 21, 2024

JSON object

Loading...
8.0
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Exploitability: 2.1 / Impact: 5.9
Source: NVD

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation.

Affected (9)

Products: Xwiki: Xwiki
Xwiki
1 product
Xwiki
Configuration A
9 vulnerable
Vulnerable SoftwareAffected Versions
Xwiki
Xwiki
Before 14.10.9
Xwiki
Version 15.0
Xwiki
Version 15.0 rc1
Xwiki
Version 15.1
Xwiki
Version 15.1 rc1
Xwiki
Version 15.2
Xwiki
Version 15.2 rc1
Xwiki
Version 15.3
Xwiki
Version 15.3 rc1

Related CWEs

CWE-352
Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (6)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
PatchVendor Advisory
Source: security-advisories@github.com
ExploitIssue TrackingVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
PatchVendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitIssue TrackingVendor Advisory

Timeline

No history available yet.