CVE-2023-36477

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-36477
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-36477.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-36477
Aliases
Published
2023-06-30T19:15:09Z
Modified
2024-06-06T14:24:31.425185Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents, leading to loss of service and editing the javascript configuration of CKEditor, leading to persistent XSS. This issue has been patched in XWiki 14.10.6 and XWiki 15.1. This issue has been patched on the CKEditor Integration extension 1.64.9 for XWiki version older than 14.6RC1. Users are advised to upgrade. Users unable to upgrade may manually address the issue by restricting theeditanddeleterights to a trusted user or group (e.g. theXWiki.XWikiAdminGroupgroup), implicitly disabling those rights for all other users. See commit9d9d86179` for details.

References

Affected packages

Git / github.com/xwiki-contrib/application-ckeditor

Affected ranges

Type
GIT
Repo
https://github.com/xwiki-contrib/application-ckeditor
Events
Type
GIT
Repo
https://github.com/xwiki/xwiki-commons
Events
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

application-ckeditor-1.*

application-ckeditor-1.10
application-ckeditor-1.11
application-ckeditor-1.12
application-ckeditor-1.13
application-ckeditor-1.14
application-ckeditor-1.15
application-ckeditor-1.16
application-ckeditor-1.17
application-ckeditor-1.18
application-ckeditor-1.19
application-ckeditor-1.20
application-ckeditor-1.21
application-ckeditor-1.22
application-ckeditor-1.23
application-ckeditor-1.24
application-ckeditor-1.25
application-ckeditor-1.26
application-ckeditor-1.27
application-ckeditor-1.28
application-ckeditor-1.28.1
application-ckeditor-1.29
application-ckeditor-1.30
application-ckeditor-1.31
application-ckeditor-1.32
application-ckeditor-1.33
application-ckeditor-1.34
application-ckeditor-1.35
application-ckeditor-1.36
application-ckeditor-1.37
application-ckeditor-1.38
application-ckeditor-1.39
application-ckeditor-1.40
application-ckeditor-1.41
application-ckeditor-1.42
application-ckeditor-1.43
application-ckeditor-1.44
application-ckeditor-1.45
application-ckeditor-1.46
application-ckeditor-1.47
application-ckeditor-1.48
application-ckeditor-1.49
application-ckeditor-1.50
application-ckeditor-1.51
application-ckeditor-1.52
application-ckeditor-1.53
application-ckeditor-1.53.1
application-ckeditor-1.53.2
application-ckeditor-1.54
application-ckeditor-1.55
application-ckeditor-1.56
application-ckeditor-1.57
application-ckeditor-1.58
application-ckeditor-1.59
application-ckeditor-1.60
application-ckeditor-1.60.1
application-ckeditor-1.61
application-ckeditor-1.62
application-ckeditor-1.63
application-ckeditor-1.63.1
application-ckeditor-1.64
application-ckeditor-1.64.1
application-ckeditor-1.64.3
application-ckeditor-1.9

application-ckeditor-pom-1.*

application-ckeditor-pom-1.64.2
application-ckeditor-pom-1.64.4
application-ckeditor-pom-1.64.5
application-ckeditor-pom-1.64.6
application-ckeditor-pom-1.64.7
application-ckeditor-pom-1.64.8

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1