Critical severityNVD Advisory· Published Mar 2, 2023· Updated Mar 5, 2025
org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
CVE-2023-26477
Description
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-flamingo-theme-uiMaven | >= 6.2.4, < 13.10.10 | 13.10.10 |
org.xwiki.platform:xwiki-platform-flamingo-theme-uiMaven | >= 14.0, < 14.4.6 | 14.4.6 |
org.xwiki.platform:xwiki-platform-flamingo-theme-uiMaven | >= 14.5, < 14.9-rc-1 | 14.9-rc-1 |
Affected products
2- Range: >= 6.2.4, < 13.10.10
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-x2qm-r4wx-8gpgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-26477ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpgghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-19757ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.