CVE-2023-26477

GHSA-x2qm-r4wx-8gpg, CVE-2023-26477

maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

All versions starting from 6.2.4 before 13.10.10, all versions starting from 14.0 before 14.4.6, all versions starting from 14.5 before 14.9-rc-1

Upgrade to versions 13.10.10, 14.4.6, 14.9-rc-1 or above. Note: 14.9-rc-1 may be an unstable version. Use caution.

2023-03-06