CVE-2023-29507

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-29507
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-29507.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-29507
Aliases
Published
2023-04-16T06:52:19Z
Modified
2025-10-14T14:35:13Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors
Details

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.

References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
ab4dfeaeef13360eebcaa507bc652073aa89a427
Fixed
c524887d154ff8f6df9651e36b904e234bf5a6ef
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
fb6bda1d09d5d4395a2be4706349157f4c72e211
Fixed
962ee4ac0352ab1a89cc779c29e81b0674d0203e