CVE-2023-37914
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2023-37914 is a critical vulnerability affecting the XWiki Platform. This wiki solution, which offers runtime services for applications, is susceptible to remote code execution due to a flaw in the handling of script macros. Any user capable of viewing the `Invitation.WebHome` page can exploit this issue, executing arbitrary Groovy and Python macros that grant unrestricted access to all wiki contents. XWiki users are strongly advised to upgrade to versions 14.4.8, 15.2-rc-1, or 14.10.6, as these releases contain the necessary patches. Those unable to upgrade can manually apply the patch to `Invitation.InvitationCommon` and `Invitation.InvitationConfig`, but no workarounds are currently known for this vulnerability, making upgrading the most secure option.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Xwiki
Affected Vendors
- xwiki