Exploit
CVE-2023-26477

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') (CWE-95)

Published: Mar 2, 2023 / Updated: 20mo ago

010
CVSS 9.8EPSS 0.13%Critical
CVE info copied to clipboard

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-26477. See article

Mar 2, 2023 at 6:06 PM / cve.report
EPSS

EPSS Score was set to: 0.13% (Percentile: 47.3%)

Sep 19, 2023 at 8:23 AM
Static CVE Timeline Graph

Affected Systems

Xwiki/xwiki
+null more

Exploits

https://jira.xwiki.org/browse/XWIKI-19757
+null more

Patches

Github Advisory
+null more

Attack Patterns

CAPEC-35: Leverage Executable Code in Non-Executable Files
+null more

Vendor Advisory

[GHSA-x2qm-r4wx-8gpg] org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
It is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue. Package Information

News

CPAI-2023-1605
The post CPAI-2023-1605 appeared first on Check Point Software .
CVE-2023-26477 Exploit
CVE Id : CVE-2023-26477 Published Date: 2023-03-10T05:00:00+00:00 XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue. inTheWild added a link to an exploit: https://jira.xwiki.org/browse/XWIKI-19757
Remote code execution in XWiki Platform
[GHSA-x2qm-r4wx-8gpg] org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
It is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue. Package Information
CVE-2023-26477
Gravedad: None Publicado: 02/03/2023 Last revised: 02/03/2023 Descripción: *** Pendiente de traducción *** XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.
See 11 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI