CVE-2023-26473

Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm in maven/org.xwiki.platform/xwiki-platform-web

Identifiers

GHSA-vpx4-7rfp-h545, CVE-2023-26473

Package Slug

maven/org.xwiki.platform/xwiki-platform-web

Vulnerability

Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm

Description

XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.

Affected Versions

All versions starting from 1.3-rc-1 before 13.10.11, all versions starting from 14.0 before 14.4.7, all versions starting from 14.5 before 14.10

Solution

Upgrade to versions 13.10.11, 14.4.7, 14.10 or above.

Last Modified

2023-03-06

source