<p>Upgrade <code>org.xwiki.platform:xwiki-platform-oldcore</code> to version 14.10.9, 15.4-rc-1 or higher.</p>

Information Exposure Affecting org.xwiki.platform:xwiki-platform-oldcore package, versions [3.2-milestone-3,14.10.9) [15.0-rc-1,15.4-rc-1)

Threat Intelligence

Proof of concept

0.19% (57^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGXWIKIPLATFORM-5856817
published 24 Aug 2023
disclosed 24 Aug 2023
credit Michael Hamann

Report a new vulnerability Found a mistake?

Introduced: 24 Aug 2023

CVE-2023-40572 Open this link in a new tab CWE-352 Open this link in a new tab

How to fix?

Upgrade org.xwiki.platform:xwiki-platform-oldcore to version 14.10.9, 15.4-rc-1 or higher.

Overview

org.xwiki.platform:xwiki-platform-oldcore is a generic wiki platform offering runtime services for applications built on top of it.

Affected versions of this package are vulnerable to Information Exposure such that a user without script right can execute code within the context of an admin user.

Mitigation: This vulnerability can be mitigated by requiring a CSRF token for the actual page creation.

PoC

[[image:path:/xwiki/bin/create/Foo/WebHome?template=&parent=Main.WebHome&title=$services.logging.getLogger(%22foo%22).error(%22Script%20executed!%22)]]

References

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

Low
User Interaction (UI)

Required

Scope (S)

Changed

Confidentiality (C)

High
Integrity (I)

High
Availability (A)

High