Home > Vulnerability Database > CVE-2023-26471

Mend.io Vulnerability Database

CVE-2023-26471

Good to know:

Date: March 2, 2023

XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.

Language: Java

Severity Score

9.9

Related Resources (6)

Url: https://jira.xwiki.org/browse/XWIKI-20234

Url: https://github.com/xwiki/xwiki-platform

Url: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9cqm-5wf7-wcj7

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26471

Url: https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006

Url: https://www.mend.io/vulnerability-database/CVE-2023-26471

Severity Score

9.9

Weakness Type (CWE)

Improper Access Control

CWE-284

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-rendering-async-api:13.10.10,14.4.6,14.9

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26471

Good to know:

Date: March 2, 2023

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?