Home > Vulnerability Database > CVE-2023-26475

Mend.io Vulnerability Database

CVE-2023-26475

Good to know:

Date: March 2, 2023

XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

Language: Java

Severity Score

9.9

Related Resources (7)

Url: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr

Url: https://jira.xwiki.org/browse/XWIKI-20384

Url: https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7

Url: https://github.com/xwiki/xwiki-platform

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26475

Url: https://jira.xwiki.org/browse/XWIKI-20360

Url: https://www.mend.io/vulnerability-database/CVE-2023-26475

Severity Score

9.9

Weakness Type (CWE)

Improper Privilege Management

CWE-269

Privilege Context Switching Error

CWE-270

Top Fix

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-legacy-oldcore:13.10.11,14.4.7,14.10

Learn More

CVSS v3.1

Base Score:	9.9
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26475

Good to know:

Date: March 2, 2023

Language: Java

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?