CVE-2023-29204

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-29204

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-29204.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-29204

Aliases

GHSA-xwph-x6xj-wggv

Published

2023-04-15T16:15:07Z

Modified

2024-09-03T04:29:26.998153Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as //mydomain.com (i.e. omitting the http:). It was also possible to bypass it when using URL such as http:/mydomain.com. The problem has been patched on XWiki 13.10.10, 14.4.4 and 14.8RC1.

References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type: GIT
Repo: https://github.com/xwiki/xwiki-commons
Events: Introduced

a54424640068c0da4820bb6892cd61be80ae19a0

Fixed

bc18e50bcf9ea40d1e25ff8d065b3178c8247f16

Type: GIT
Repo: https://github.com/xwiki/xwiki-platform
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e4f7f68e93cb08c25632c126356d218abf192d1e

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2

xwiki-platform-7.4-milestone-1

xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1

xwiki-platform-8.0-milestone-2

xwiki-platform-8.1-milestone-1

xwiki-platform-8.1-milestone-2

xwiki-platform-8.2-milestone-1

xwiki-platform-8.2-milestone-2

xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1