Arbitrary Code Execution Affecting org.xwiki.platform:xwiki-platform-oldcore package, versions [7.2,14.10.10) [15.0-rc-1,15.4-rc-1)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGXWIKIPLATFORM-5879650
- published 3 Sep 2023
- disclosed 1 Sep 2023
- credit Unknown
Introduced: 1 Sep 2023
CVE-2023-41046 Open this link in a new tabHow to fix?
Upgrade org.xwiki.platform:xwiki-platform-oldcore to version 14.10.10, 15.4-rc-1 or higher.
Overview
org.xwiki.platform:xwiki-platform-oldcore is a generic wiki platform offering runtime services for applications built on top of it.
Affected versions of this package are vulnerable to Arbitrary Code Execution via the TextArea property of an XClass with a content type of "VelocityCode" or "VelocityWiki". When adding the property to an object, the Velocity code is executed regardless of the rights of the author of the property. Although the code is executed with the correct context author, Velocity still grants access to otherwise inaccessible data and APIs that could allow further privilege escalation.
Note: This is only exploitable if the syntax of the document is set to xwiki/1.0.