10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-26475

CVE-2023-26475: xwiki-platform vulnerable to Remote Code Execution in Annotations

Impact

The annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document.

To reproduce: add an annotation with the content {{groovy}}print "hello"{{/groovy}} and click the yellow scare to get a display of the annotation inline.

The result is "hello" but it should be an error suggesting that it's not allowed to use the groovy macro.

Patches

This has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

Workarounds

There is no easy workaround except to upgrade.

References

https://jira.xwiki.org/browse/XWIKI-20360

https://jira.xwiki.org/browse/XWIKI-20384

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

This vulnerability has been reported by René de Sain @renniepak.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-26475

CVE-2023-26475:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-annotation-ui	maven	>= 2.3-milestone-1, < 13.10.11	13.10.11
org.xwiki.platform:xwiki-platform-annotation-ui	maven	>= 14.0-rc-1, < 14.4.7	14.4.7
org.xwiki.platform:xwiki-platform-annotation-ui	maven	>= 14.5, < 14.10	14.10

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the missing 'restricted' parameter in the addTextAreaField call when initializing comment fields. The patch explicitly adds 'true' as the fifth parameter to enable restricted mode (xclass.addTextAreaField(..., true)), which prevents macro execution. The Jira tickets XWIKI-20384/XWIKI-20360 and commit diff directly link this parameter omission to the RCE vulnerability, as unrestricted textareas allowed Groovy/Python code execution in annotations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-26475: xwiki-platform vulnerable to Remote Code Execution in Annotations

Impact

Patches

Workarounds

References

For more information

Attribution

CVE-2023-26475:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-26475: xwiki-platform vulnerable to Remote Code Execution in Annotations

Impact

Patches

Workarounds

References

For more information

Attribution

Technical Details

10

10

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI