Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-50722— XWiki Platform XSS/CSRF Remote Code Execution in XWiki.ConfigurableClass

CVSS 9.7 · Critical EPSS 3.26% · P87
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-50722

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
XWiki Platform XSS/CSRF Remote Code Execution in XWiki.ConfigurableClass
Source: NVD (National Vulnerability Database)
Vulnerability Description
XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, there is a reflected XSS or also direct remote code execution vulnerability in the code for displaying configurable admin sections. The code that can be passed through a URL parameter is only executed when the user who is visiting the crafted URL has edit right on at least one configuration section. While any user of the wiki could easily create such a section, this vulnerability doesn't require the attacker to have an account or any access on the wiki. It is sufficient to trick any admin user of the XWiki installation to visit the crafted URL. This vulnerability allows full remote code execution with programming rights and thus impacts the confidentiality, integrity and availability of the whole XWiki installation. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patch can be manually applied to the document `XWiki.ConfigurableClass`.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
XWiki Platform 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
XWiki Platform是XWiki基金会的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 存在安全漏洞,该漏洞源于用于显示可配置管理部分的代码中存在反射型跨站脚本漏洞或远程代码执行漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
xwikixwiki-platform >= 2.3, < 14.10.15 -

II. Public POCs for CVE-2023-50722

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2023-50722

登录查看更多情报信息。

Same Patch Batch · xwiki · 2023-12-15 · 5 CVEs total

CVE-2023-5072110.0 CRITICALXWiki Platform RCE from account through SearchAdmin
CVE-2023-5072310.0 CRITICALXWiki Platform remote code execution/programming rights with configuration section from an
CVE-2023-507197.5 HIGHXWiki Platform Solr search discloses password hashes of all users
CVE-2023-507205.3 MEDIUMXWiki Platform Solr search discloses email addresses of users

IV. Related Vulnerabilities

Same product: xwiki-platform
Same vendor: xwiki
Same weakness: CWE-79

V. Comments for CVE-2023-50722

No comments yet

Leave a comment