Change Request Application vulnerable to XSS and remote code execution through change request title
CVE-2023-45138

10CRITICAL

Key Information:

Vendor

XWiki
Status
Application-changerequest
Vendor
CVE Published:
12 October 2023

What is CVE-2023-45138?

The Change Request application by XWiki allows users to request edits without immediate publication. In versions from 0.11 to prior to 1.9.2, a significant vulnerability allows unauthorized users to perform script injection and remote code execution by manipulating titles of new Change Requests. This exploitation is feasible due to the design of the application, which permits users without specific permissions to create Change Requests. Users are encouraged to upgrade to version 1.9.2 or apply workarounds by editing the ChangeRequest.Code.ChangeRequestSheet to mitigate the risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

application-changerequest >= 0.11, < 1.9.2

References

https://github.com/xwiki-contrib/application-changereques...
x_refsource_CONFIRM
https://github.com/xwiki-contrib/application-changereques...
x_refsource_MISC
https://jira.xwiki.org/browse/CRAPP-298
x_refsource_MISC

EPSS Score

78% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.