Critical severityNVD Advisory· Published Apr 18, 2023· Updated Feb 5, 2025
Async and display macro allow displaying and interacting with any document in restricted mode
CVE-2023-29526
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be executed when viewed providing a code injection vector in the context of the running server. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 10.11.1, < 13.10.11 | 13.10.11 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 14.0-rc-1, < 14.4.8 | 14.4.8 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 14.5, < 14.10.3 | 14.10.3 |
org.xwiki.platform:xwiki-platform-rendering-async-macroMaven | >= 10.11.1, < 13.10.11 | 13.10.11 |
org.xwiki.platform:xwiki-platform-rendering-async-macroMaven | >= 14.0-rc-1, < 14.4.8 | 14.4.8 |
org.xwiki.platform:xwiki-platform-rendering-async-macroMaven | >= 14.5, < 14.10.3 | 14.10.3 |
Affected products
1- Range: >= 10.11.1, < 13.10.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gpq5-7p34-vqx5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29526ghsaADVISORY
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-gpq5-7p34-vqx5ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XRENDERING-694ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-20394ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.