CVE-2023-37912

Published: Oct 25, 2023

Modified: Sep 12, 2024

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version 15.1-rc-1 of `org.xwiki.platform:xwiki-rendering-macro-footnotes`, the footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, this allows privilege escalation from a simple user account in XWiki to programming rights and thus remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.6 and 15.1-rc-1. There is no workaround apart from upgrading to a fixed version of the footnote macro.

Vendor	Product	Versions
xwiki	xwiki-rendering	affected `< 14.10.6` affected `>= 15.0-rc-1, < 15.1-rc-1`

Weaknesses (CWE)

CWE-270

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-35j5-m29r-xfq5

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-rendering/commit/5f558b8fac8b716d19999225f38cb8ed0814116e

x_refsource_MISC

https://jira.xwiki.org/browse/XRENDERING-688

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-37912

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References