Change Request Application vulnerable to XSS and remote code execution through change request title
CVE-2023-45138

10CRITICAL

Key Information:

Vendor
XWiki
Status
Application-changerequest
Vendor
CVE Published:
12 October 2023

Summary

The Change Request application by XWiki allows users to request edits without immediate publication. In versions from 0.11 to prior to 1.9.2, a significant vulnerability allows unauthorized users to perform script injection and remote code execution by manipulating titles of new Change Requests. This exploitation is feasible due to the design of the application, which permits users without specific permissions to create Change Requests. Users are encouraged to upgrade to version 1.9.2 or apply workarounds by editing the ChangeRequest.Code.ChangeRequestSheet to mitigate the risk.

Affected Version(s)

application-changerequest >= 0.11, < 1.9.2

References

https://github.com/xwiki-contrib/application-changereques...
x_refsource_CONFIRM
https://github.com/xwiki-contrib/application-changereques...
x_refsource_MISC
https://jira.xwiki.org/browse/CRAPP-298
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.