XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
Critical severity
GitHub Reviewed
Published
Jun 20, 2023
in
xwiki/xwiki-platform
•
Updated Nov 12, 2023
Package
Affected versions
>= 12.9-rc-1, < 14.4.8
>= 14.5, < 14.10.6
>= 15.0-rc-1, < 15.1
Patched versions
14.4.8
14.10.6
15.1
Description
Published to the GitHub Advisory Database
Jun 20, 2023
Reviewed
Jun 20, 2023
Published by the National Vulnerability Database
Jun 23, 2023
Last updated
Nov 12, 2023
Impact
Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation.
Patches
The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1.
Workarounds
The vulnerability can be fixed by applying this patch.
On versions before 13.4-rc-1, the fix needs to be applied on XWiki.Like.Code.LiveTableResultPage.
References
For more information
If you have any questions or comments about this advisory:
References