CVE-2023-37914
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2023-37914
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37914.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2023-37914
- Aliases
- Published
- 2023-08-17T17:21:23.571Z
- Modified
- 2025-12-10T10:09:58.852983Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
- Summary
- Privilege escalation (PR)/RCE from account through Invitation subject/message
- Details
-
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view
Invitation.WebHomecan execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This vulnerability has been patched on XWiki 14.4.8, 15.2-rc-1, and 14.10.6. Users are advised to upgrade. Users unable to upgrade may manually apply the patch onInvitation.InvitationCommonandInvitation.InvitationConfig, but there are otherwise no known workarounds for this vulnerability. - Database specific
{ "cwe_ids": [ "CWE-94" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/37xxx/CVE-2023-37914.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/37xxx/CVE-2023-37914.json
- https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf
- https://jira.xwiki.org/browse/XWIKI-20421
- https://nvd.nist.gov/vuln/detail/CVE-2023-37914
Affected packages
Git / github.com/xwiki/xwiki-commons
Git / github.com/xwiki/xwiki-platform
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xwiki/xwiki-platform
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
xwiki-application-calendar-1.*
xwiki-application-calendar-1.0
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2
xwiki-plugin-tag-1.*
xwiki-plugin-tag-1.1
Database specific
vanir_signatures
[
{
"digest": {
"length": 1550.0,
"function_hash": "339282825351180123961268690316147546200"
},
"id": "CVE-2023-37914-27621e5e",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationCommonPageTest.java",
"function": "testEq1ConfigClassExistsNewInvitationConfig"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 1416.0,
"function_hash": "67262820242911171743754105937048326518"
},
"id": "CVE-2023-37914-3dc25c65",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationCommonPageTest.java",
"function": "testEq1ConfigClassExistsConfigMapTooSmall"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 442.0,
"function_hash": "71863537301444799077272327351964966371"
},
"id": "CVE-2023-37914-42455d99",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationConfigPageTest.java",
"function": "escapeInfoMessageInternalDocumentParameter"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 1529.0,
"function_hash": "235862181908831211954227013046329049174"
},
"id": "CVE-2023-37914-44b99789",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationCommonPageTest.java",
"function": "testEq1ConfigClassExistsInvalidFromAddress"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"333090352389187170801825376565132473786",
"116412206127966436128767184033753837360",
"263448177281553707790028158109487388756",
"20778338281122017743125412566687563986",
"105666250373144419032357085645317720632",
"162251258662267141777424005441306742748",
"268773732375373482535109211690093702716",
"29956268411415547975701237935062678505",
"212423808098395960562622633257466090516",
"175484378710074101183245831106544000525",
"252122563298327165699246934730577956087",
"250544293623661809530317766171102103957",
"186385996053887794477137311729211064477",
"290872835019689251874476707551412991752",
"172406792903650741470166673000903369152",
"277110893706752377705324568784460023704",
"305596593979266117398086650852498063363",
"12506563777896120562445885728241976150",
"337786582398331095230695674895112077478",
"148082600552280786734410900754358420375",
"4594934105779342876769071329624673948",
"155814237569296886786549447327829669754",
"130871420701499853483186221505134882858",
"318228723242573276336330888718138070746",
"37226958206649956883424515157654676926",
"55163362005656742650560605480119899941",
"125961294230185329869282929815872633795",
"153242436695507217457050113470762617261",
"303581578229287462211123690587912806133",
"16534969778308144015932844935907707296",
"145832155068524320595031433869164059345",
"291610701768203846470447401116504402346",
"77812901762574834515799755941418389296",
"334899099289131166628057856792193979063",
"258079907243326367073660539897976641695",
"145832155068524320595031433869164059345",
"291610701768203846470447401116504402346",
"77812901762574834515799755941418389296",
"334899099289131166628057856792193979063",
"336556536999853337948998530681039411670",
"41979993815744568304782095253070059343",
"111514281388493603355440369531433507053",
"88216652890450733044962090205411058465",
"206673131740715486075935294483096812933",
"256524209756057872763166515055663012547",
"94859041154442447525023319297993774877",
"316035241805452196524024309367529002212",
"78123573111685296579732394564562255894",
"300400248462360277531792962464781831910"
]
},
"id": "CVE-2023-37914-4d9afd1d",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Line",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationCommonPageTest.java"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 900.0,
"function_hash": "110075238731715126816926482170607395828"
},
"id": "CVE-2023-37914-4d9fc8b2",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationCommonPageTest.java",
"function": "displayMessageVelocityMacro"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 1002.0,
"function_hash": "320583521172056956845216382720741424680"
},
"id": "CVE-2023-37914-af0c24a0",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationCommonPageTest.java",
"function": "testEq1ConfigClassIsNew"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"length": 461.0,
"function_hash": "94229145256540923301982839580488994152"
},
"id": "CVE-2023-37914-b5d0f79c",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Function",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationCommonPageTest.java",
"function": "testEq0"
},
"signature_version": "v1",
"deprecated": false
},
{
"digest": {
"threshold": 0.9,
"line_hashes": [
"45828237684934314065673435622360057394",
"152917747732704500406673668331957836175",
"70927632413549507712131618842966499298",
"296819425780026146382306677034487145991",
"213667004644762520258648145509200480803",
"120087305962682635948618086036633016784",
"305562815700333167243307812852697316714",
"332488330178457715968730560669877093206",
"49539193550979267086726052304514938522",
"18841764902700320163553247793842569027",
"117307399422290762277147793410764519658",
"33890990930764568279657006834728419859",
"261334841522569931985973519625921742446",
"92347541357779961345317384096426137084",
"155700986957335332932765934378344430213"
]
},
"id": "CVE-2023-37914-de0be649",
"source": "https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591",
"signature_type": "Line",
"target": {
"file": "xwiki-platform-core/xwiki-platform-invitation/xwiki-platform-invitation-ui/src/test/java/org/xwiki/invitation/InvitationConfigPageTest.java"
},
"signature_version": "v1",
"deprecated": false
}
]
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37914.json"