CVE-2023-30537

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-30537
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-30537.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-30537
Aliases
Published
2023-04-16T07:06:43Z
Modified
2025-10-14T14:33:06Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
Summary
org.xwiki.platform:xwiki-platform-flamingo-theme-ui vulnerable to privilege escalation
Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties FlamingoThemesCode.WebHome. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.

References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
89adfffda9d65893222b1cdf9a662664a4e75255
Fixed
08e0887f0362b21614e6bfcb5be7e1f568659c41
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
198ef99386911c0f7af11a0957092d349961e3a6
Fixed
962ee4ac0352ab1a89cc779c29e81b0674d0203e
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
ab4dfeaeef13360eebcaa507bc652073aa89a427
Fixed
c524887d154ff8f6df9651e36b904e234bf5a6ef