CVE-2023-37462
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2023-37462 is a critical vulnerability affecting the XWiki Platform, which allows for remote code execution due to improper escaping in the `SkinsCode.XWikiSkinsSheet`. An attacker can execute arbitrary script macros, including Groovy and Python, by opening a non-existent page with a crafted name. This issue grants programming rights, enabling unrestricted read and write access to all wiki contents. XWiki versions 14.4.8, 14.10.4, and 15.0-rc-1 have been patched. Users are strongly advised to upgrade as soon as possible. Those unable to upgrade can apply a manual patch with commit `d9c88ddc` to the `SkinsCode.XWikiSkinsSheet` document.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Xwiki
Affected Vendors
- xwiki
Advisories, Assessments, and Mitigations
Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future
- Gain complete coverage of your cyber, third party, and physical attack surface
- Proactively mitigate threats before they turn into costly attacks
- Make fast, effective, data-driven decisions