CVE-2023-45138

Published: Oct 12, 2023

Modified: Sep 18, 2024

PUBLISHED

CVSS v3.1

10.0

CRITICAL

Description

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the fix commit.

Vendor	Product	Versions
xwiki-contrib	application-changerequest	affected `>= 0.11, < 1.9.2`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-f776-w9v2-7vfj

x_refsource_CONFIRM

https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4

x_refsource_MISC

https://jira.xwiki.org/browse/CRAPP-298

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-45138

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References