CVE-2023-35150: Improper Control of Generation of Code ('Code Injection')

June 20, 2023 (updated June 30, 2023)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.

References

github.com/advisories/GHSA-6mf5-36v9-3h2w
github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a
github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w
jira.xwiki.org/browse/XWIKI-20285
nvd.nist.gov/vuln/detail/CVE-2023-35150

Detect and mitigate CVE-2023-35150 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →