CVE-2023-26477: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

March 3, 2023

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it’s possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

References

github.com/advisories/GHSA-x2qm-r4wx-8gpg
github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2
github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg
jira.xwiki.org/browse/XWIKI-19757
nvd.nist.gov/vuln/detail/CVE-2023-26477

Detect and mitigate CVE-2023-26477 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →