Critical severityNVD Advisory· Published Mar 2, 2023· Updated Mar 5, 2025
XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
CVE-2023-26474
Description
XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 13.10, < 13.10.11 | 13.10.11 |
org.xwiki.platform:xwiki-platform-legacy-oldcoreMaven | >= 13.10, < 13.10.11 | 13.10.11 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 14.0, < 14.4.7 | 14.4.7 |
org.xwiki.platform:xwiki-platform-legacy-oldcoreMaven | >= 14.0, < 14.4.7 | 14.4.7 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 14.5, < 14.10 | 14.10 |
org.xwiki.platform:xwiki-platform-legacy-oldcoreMaven | >= 14.5, < 14.10 | 14.10 |
Affected products
1- Range: >= 13.10, < 13.10.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-3738-p9x3-mv9rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26474ghsaADVISORY
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9rghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20373ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.