CVE-2023-29518 – org.xwiki.platform:xwiki-platform-invitation-ui

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-invitation-ui
Vulnerable Version: >=2.5-m-1 <13.10.11 || >=14.0-rc-1 <14.4.8 || >=14.5 <14.10.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.02151 pctl0.83592

Details

XWiki Platform vulnerable to privilege escalation from view right using Invitation.InvitationCommon ### Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Invitation.InvitationCommon`. This page is installed by default. See https://jira.xwiki.org/browse/XWIKI-20283 for the reproduction steps. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf) on `Invitation.InvitationCommon`. ### References - https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf - https://jira.xwiki.org/browse/XWIKI-20283 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Metadata

Created: 2023-04-20T22:04:00Z
Modified: 2023-04-28T20:04:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-px54-3w5j-qjg9/GHSA-px54-3w5j-qjg9.json
CWE IDs: ["CWE-74"]
Alternative ID: GHSA-px54-3w5j-qjg9
Finding: F184
Auto approve: 1