Multiple vulnerabilities in XWiki Platform
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2023-26471 CVE-2023-26478 CVE-2023-26479 |
| CWE-ID | CWE-284 CWE-749 CWE-755 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
XWiki platform Web applications / CMS |
| Vendor | XWiki |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU72773
Risk: Medium
CVSSv4.0: 7.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-26471
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions within comments and async macro. A remote user can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Vulnerable software versionsXWiki platform: 11.6 rc-1
CPE2.3 External linkshttp://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006
http://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9cqm-5wf7-wcj7
http://jira.xwiki.org/browse/XWIKI-20234
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Exposed dangerous method or function
EUVDB-ID: #VU72779
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:U/U:Clear]
CVE-ID: CVE-2023-26478
CWE-ID:
CWE-749 - Exposed Dangerous Method or Function
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the target system.
The vulnerability exists due to an exposed dangerous function or method. A remote administrator can send a specially crafted request to bypass authentication and obtain administrative access.
MitigationInstall updates from vendor's website.
Vulnerable software versionsXWiki platform: 14.3 rc-1
CPE2.3 External linkshttp://jira.xwiki.org/browse/XWIKI-20180
http://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p
http://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper handling of exceptional conditions
EUVDB-ID: #VU72780
Risk: Medium
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-26479
CWE-ID:
CWE-755 - Improper Handling of Exceptional Conditions
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper handling of errors. A remote user can send specially crafted input and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
Vulnerable software versionsXWiki platform: 6.0
CPE2.3 External linkshttp://jira.xwiki.org/browse/XWIKI-19838
http://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7
http://github.com/xwiki/xwiki-platform/security/advisories/GHSA-52vf-hvv3-98h7
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
