CVE-2023-37914

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-37914
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37914.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-37914
Aliases
Published
2023-08-17T17:21:23.571Z
Modified
2026-04-10T04:58:51.833620Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L CVSS Calculator
Summary
Privilege escalation (PR)/RCE from account through Invitation subject/message
Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This vulnerability has been patched on XWiki 14.4.8, 15.2-rc-1, and 14.10.6. Users are advised to upgrade. Users unable to upgrade may manually apply the patch on Invitation.InvitationCommon and Invitation.InvitationConfig, but there are otherwise no known workarounds for this vulnerability.

Database specific 
{
    "cwe_ids": [
        "CWE-94"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/37xxx/CVE-2023-37914.json"
}
References

Affected packages

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
28b2f17f6ca49d532ef0dab75f72425f5c10728c
Fixed
b469b950e7fe3d22f00b639d43f286bf871472b1
Database specific 
{
    "versions": [
        {
            "introduced": "2.5-m1"
        },
        {
            "fixed": "14.4.8"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
db1b7950037774552be2897571c2e1c5a7589400
Database specific 
{
    "versions": [
        {
            "introduced": "14.5.0"
        },
        {
            "fixed": "14.10.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
96b4a230ee41ef74268c9720722f6473c705583d
Fixed
b30cbc9010741699e70111d7f905ad1b592e1e2c
Database specific 
{
    "versions": [
        {
            "introduced": "15.0"
        },
        {
            "fixed": "15.2-rc-1"
        }
    ]
}

Affected versions

xwiki-platform-14.*
xwiki-platform-14.10
xwiki-platform-14.10.1
xwiki-platform-14.10.2
xwiki-platform-14.10.3
xwiki-platform-14.10.4
xwiki-platform-14.10.5
xwiki-platform-7.*
xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2
xwiki-platform-8.*
xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1
xwiki-platform-9.*
xwiki-platform-9.9-rc-2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-37914.json"