Velocity execution without script right through tree macro
CVE-2023-50732

8.3HIGH

Key Information:

Vendor
xwiki
Status
xwiki-platform
Vendor
CVE Published:
21 December 2023

Summary

The XWiki Platform contains a vulnerability that allows unauthorized users to execute Velocity scripts without having the appropriate script rights. This can be accomplished through traversing the document tree, possibly leading to unwanted actions or data exposure within the application. Users are strongly advised to upgrade to XWiki version 14.10.7 or 15.2RC1 to mitigate this risk.

Affected Version(s)

xwiki-platform >= 8.3-rc-1, < 14.10.7 < 8.3-rc-1, 14.10.7

xwiki-platform >= 15.0-rc-1, < 15.2-rc-1 < 15.0-rc-1, 15.2-rc-1

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/41d7dca2d3...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-20625
x_refsource_MISC

CVSS V3.1

Score:
8.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.