CVE-2023-35152: Improper Control of Generation of Code ('Code Injection')
(updated )
XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually.
References
- github.com/advisories/GHSA-rf8j-q39g-7xfm
- github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45
- github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm
- jira.xwiki.org/browse/XWIKI-19900
- jira.xwiki.org/browse/XWIKI-20611
- nvd.nist.gov/vuln/detail/CVE-2023-35152
Detect and mitigate CVE-2023-35152 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →