CVE-2023-26475: xwiki-platform vulnerable to Remote Code Execution in Annotations

March 2, 2023 (updated March 3, 2023)

XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.

References

github.com/advisories/GHSA-h6f5-8jj5-cxhr
github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7
github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr
jira.xwiki.org/browse/XWIKI-20360
jira.xwiki.org/browse/XWIKI-20384
nvd.nist.gov/vuln/detail/CVE-2023-26475

Detect and mitigate CVE-2023-26475 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →