Low severityNVD Advisory· Published Sep 10, 2020· Updated Aug 4, 2024

Users with SCRIPT rights can execute arbitrary code in XWiki

CVE-2020-15171

Description

In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only workaround is to give SCRIPT right only to trusted users.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-oldcoreMaven	< 11.10.5	11.10.5
org.xwiki.platform:xwiki-platform-oldcoreMaven	>= 12.0.0, < 12.2.1	12.2.1

Affected products

Xwiki/Xwiki Platformv5
Range: <11.10.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-7qw5-pqhc-xm4gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-15171ghsaADVISORY
github.com/xwiki/xwiki-platform/security/advisories/GHSA-7qw5-pqhc-xm4gghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000