Homepage
About Snyk

Privilege Escalation Affecting org.xwiki.platform:xwiki-platform-core package, versions [7.0-rc-1,14.4.8) [14.5,14.10.4)

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    50.71% (98th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-ORGXWIKIPLATFORM-5777692
  • published 16 Jul 2023
  • disclosed 16 Jul 2023
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 16 Jul 2023

CVE-2023-37462 Open this link in a new tab
CWE-264 Open this link in a new tab

How to fix?

Upgrade org.xwiki.platform:xwiki-platform-core to version 14.4.8, 14.10.4 or higher.

Overview

Affected versions of this package are vulnerable to Privilege Escalation due to improper escaping in the document SkinsCode.XWikiSkinsSheet, allowing the attacker to escalate privileges from view rights on that document to programming rights. This vulnerability allows the execution of arbitrary script macros, including Groovy and Python macros that allow remote code execution, including unrestricted read and write access to all wiki contents.

Exploiting this vulnerability is possible by opening a non-existing page with a name crafted to contain a dangerous payload.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.3 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    Low
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    High
  • Availability (A)
    Low
Expand this section

NVD

8.8 high