VYPR
High severityNVD Advisory· Published Mar 7, 2023· Updated Feb 25, 2025

Data leak through a XAR import XXE attack in xwiki-platform-xar-model

CVE-2023-27480

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch e3527b98fd manually.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-xar-modelMaven
>= 1.1-milestone-3, < 13.10.1113.10.11
org.xwiki.platform:xwiki-platform-xar-modelMaven
>= 14.0, < 14.4.714.4.7
org.xwiki.platform:xwiki-platform-xar-modelMaven
>= 14.5, < 14.10-rc-114.10-rc-1

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.