CVE-2020-15252

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-15252

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15252.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2020-15252

Aliases

GHSA-5hv6-mh8q-q9v8

Published

2020-10-16T17:15:11Z

Modified

2024-09-02T22:40:15Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is patched in XWiki 12.5 and XWiki 11.10.6.

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

fb7be2bf0053cd082cc294fb75435fb95cdc74fb

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f7e95fc383b21fdbb1f5862b6fc755f485428b05