QwikSec

Security Database

CVE

CWE

Training

CVE-2022-24897

Published: May 2, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.

Vendor	Product	Versions
xwiki	xwiki-commons	affected `>= 2.3, < 12.6.7` affected `12.7-rc-1, < 12.10.3`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-commons/pull/127

x_refsource_MISC

https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-5168

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.