Home > Vulnerability Database > CVE-2023-26477

Mend.io Vulnerability Database

CVE-2023-26477

Good to know:

Date: March 2, 2023

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.

Language: Java

Severity Score

10.0

Related Resources (6)

Url: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg

Url: https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284

Url: https://github.com/xwiki/xwiki-platform

Url: https://jira.xwiki.org/browse/XWIKI-19757

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-26477

Url: https://www.mend.io/vulnerability-database/CVE-2023-26477

Severity Score

10.0

Weakness Type (CWE)

Code Injection

CWE-94

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-95

Top Fix

Upgrade Version

Upgrade to version org.xwiki.platform:xwiki-platform-flamingo-theme-ui:13.10.10,14.4.6,14.9

Learn More

CVSS v3.1

Base Score:	10.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-26477

Good to know:

Date: March 2, 2023

Language: Java

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?