CVE-2023-27480

GHSA-gx4f-976g-7g6v, CVE-2023-27480

maven/org.xwiki.platform/xwiki-platform-xar-model

Improper Restriction of XML External Entity Reference

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch e3527b98fd manually.

All versions starting from 1.1-milestone-3 before 13.10.11, all versions starting from 14.0 before 14.4.7, all versions starting from 14.5 before 14.10-rc-1

Upgrade to versions 13.10.11, 14.4.7, 14.10-rc-1 or above. Note: 14.10-rc-1 may be an unstable version. Use caution.

2023-03-09