Vulnerabilities > CVE-2023-29206 - Unspecified vulnerability in Xwiki
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.
Vulnerable Configurations
References
- https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cmvg-w72j-7phx
- https://jira.xwiki.org/browse/XWIKI-19514
- https://jira.xwiki.org/browse/XWIKI-19583
- https://jira.xwiki.org/browse/XWIKI-9119
- https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb
- https://jira.xwiki.org/browse/XWIKI-9119
- https://jira.xwiki.org/browse/XWIKI-19583
- https://jira.xwiki.org/browse/XWIKI-19514
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-cmvg-w72j-7phx