CVE-2023-26055

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-26055

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26055.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26055

Aliases

GHSA-8cw6-4r32-6r3h

Published

2023-03-02T19:15:10Z

Modified

2024-05-29T20:52:00Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

04855346e50d9e28fb71f866dacf545e423dd8f4

Fixed

04c07ad2e0614b2e5cead6d60477e5954e3e0278