CVE-2023-35152 Vulnerability Details

  /     /     /  

CVE-2023-35152 Metadata Quick Info

CVE Published: 23/06/2023 | CVE Updated: 27/11/2024 | CVE Year: 2023
Source: GitHub_M | Vendor: xwiki | Product: xwiki-platform
Status : PUBLISHED

---

CVE-2023-35152 Description

XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.

Metrics

CVSS Version: 3.1 | Base Score: 10 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

l➤ Exploitability Metrics:
    Attack Vector (AV)* NETWORK
    Attack Complexity (AC)* LOW
    Privileges Required (PR)* LOW
    User Interaction (UI)* NONE
    Scope (S)* CHANGED

l➤ Impact Metrics:
    Confidentiality Impact (C)* HIGH
    Integrity Impact (I)* HIGH
    Availability Impact (A)* HIGH

Weakness Enumeration (CWE)

CWE-ID: CWE-95
CWE Name: CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ( Eval Injection )
Source: xwiki

Common Attack Pattern Enumeration and Classification (CAPEC)

CAPEC-ID:
CAPEC Description:


Source: NVD (National Vulnerability Database).