CVE-2023-26473: Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm

March 3, 2023

XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.

References

github.com/advisories/GHSA-vpx4-7rfp-h545
github.com/xwiki/xwiki-platform/security/advisories/GHSA-vpx4-7rfp-h545
jira.xwiki.org/browse/XWIKI-19523
nvd.nist.gov/vuln/detail/CVE-2023-26473

Detect and mitigate CVE-2023-26473 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →