SB2023030625 - Multiple vulnerabilities in XWiki Platform
Published: March 6, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2023-26471)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within comments and async macro. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
2) Exposed dangerous method or function (CVE-ID: CVE-2023-26478)
The vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to an exposed dangerous function or method. A remote administrator can send a specially crafted request to bypass authentication and obtain administrative access.
3) Improper handling of exceptional conditions (CVE-ID: CVE-2023-26479)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of errors. A remote user can send specially crafted input and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9cqm-5wf7-wcj7
- https://jira.xwiki.org/browse/XWIKI-20234
- https://jira.xwiki.org/browse/XWIKI-20180
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p
- https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d
- https://jira.xwiki.org/browse/XWIKI-19838
- https://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-52vf-hvv3-98h7