XWiki Commons may allow privilege escalation to programming rights via user's first name
CVE-2023-26055

9.9CRITICAL

Key Information:

Vendor: xwiki
Status: xwiki-commons
Vendor: CVE Published:; 2 March 2023

Summary

A vulnerability in XWiki Commons allows unauthorized users to inject and execute code by modifying their profile. This flaw, affecting versions starting from 3.1-milestone-1, can also be exploited in applications using short text properties, enabling potential execution of malicious code. Affected users should upgrade to versions 13.10.9, 14.4.4, or 14.7RC1 to mitigate risks.