5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-26056

GHSA ID

GHSA-859x-p6jp-rc2w

EPSS Score

0.4487%

CWE

CWE-863

Published

3/3/2023

Updated

3/3/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-26056

CVE-2023-26056: xwiki contains Incorrect Authorization

Impact

It's possible to execute a script with the right of another user (provided the target user does not have programming right).

For example, the following:

{{context document="xwiki:XWiki.userwithscriptright" transformationContext="document"}}{{velocity}}Hello from Velocity!{{/velocity}}{{/context}}

written by a user not having script right (for example in the user's profile) should produce an error (the user is not allowed to write scripts). However, because of the vulnerability, if the author of the document "xwiki:XWiki.userwithscriptright" has script right (but not programming right) the script will be executed with as if it was written by the target user.

Patches

The problem has been patched in XWiki 14.8RC1, 14.4.5 and 13.10.10.

Workarounds

There's no workaround for this issue.

References

https://jira.xwiki.org/browse/XWIKI-19856

For more information

If you have any questions or comments about this advisory:

Open an issue in JIRA
Email us at security ML

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-26056

CVE-2023-26056:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-26056

GHSA ID

GHSA-859x-p6jp-rc2w

EPSS Score

0.4487%

CWE

CWE-863

Published

3/3/2023

Updated

3/3/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-rendering-macro-context	maven	>= 3.0-milestone-1, < 13.10.10	13.10.10
org.xwiki.platform:xwiki-platform-rendering-macro-context	maven	>= 14.0-rc-1, < 14.4.5	14.4.5
org.xwiki.platform:xwiki-platform-rendering-macro-context	maven	>= 14.5, < 14.8-rc-1	14.8-rc-1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper authorization checks during async script execution. The commit diff shows the patch added 'configuration.setAsyncAllowed(false)' and 'configuration.setCacheAllowed(false)' in ContextMacro.java. Before this fix, the async rendering framework could execute scripts using the target document's author's permissions instead of the current user's. The execute() method in ContextMacro.java is directly responsible for setting up the rendering context, making it the focal point of the authorization flaw. The absence of these restrictions allowed the context macro to bypass proper user rights validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-26056: xwiki contains Incorrect Authorization

Impact

Patches

Workarounds

References

For more information

CVE-2023-26056:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-26056: xwiki contains Incorrect Authorization

Impact

Patches

Workarounds

References

For more information

Basic Information

Basic Information

5.4

5.4

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI