CVE-2023-26473

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-26473

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-26473.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-26473

Aliases

GHSA-vpx4-7rfp-h545

Published

2023-03-02T18:17:09.152Z

Modified

2025-12-08T07:52:43.251053Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

XWiki Platform allows unprivileged users to make arbitrary select queries using DatabaseListProperty and suggest.vm

Details

XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.

Database specific

{
    "cwe_ids": [
        "CWE-284"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/26xxx/CVE-2023-26473.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8d72461ba6976af6005e2df511bdeeeb17ef2d74

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0667914a5ec125857bf348207ae592f08f869711

Fixed

08e0887f0362b21614e6bfcb5be7e1f568659c41