8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29519

GHSA ID

GHSA-3hjg-cghv-22ww

EPSS Score

0.93618%

CWE

CWE-74

Published

4/20/2023

Updated

11/4/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29519

CVE-2023-29519: org.xwiki.platform:xwiki-platform-attachment-ui vulnerable to Code Injection

Impact

A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki.

Patches

The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1.

Workarounds

The problem can be worked around by applying following changes directly in XWiki.AttachmentSelector page: https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1.

References

https://jira.xwiki.org/browse/XWIKI-20364
https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29519

GHSA ID

GHSA-3hjg-cghv-22ww

EPSS Score

0.93618%

CWE

CWE-74

Published

4/20/2023

Updated

11/4/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-attachment-ui	maven	>= 3.0-rc-1, < 13.10.11	13.10.11
org.xwiki.platform:xwiki-platform-attachment-ui	maven	>= 14.0-rc-1, < 14.4.8	14.4.8
org.xwiki.platform:xwiki-platform-attachment-ui	maven	>= 14.5, < 14.10.2	14.10.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped user input in Velocity template-generated HTML. The commit patch adds XML escaping via $escapetool.xml() to the 'name' and 'value' attributes of the hidden input field. The affected code was directly inserting ${classname}${object}${property} and ${propValue} into the HTML output, making it susceptible to code injection when these values contain malicious payloads. The file path and injection pattern match both the CWE-74 description and the provided diff.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * r**ist*r** us*r **n p*r*orm r*mot* *o** *x**ution l***in* to privil*** *s**l*tion *y inj**tin* t** prop*r *o** in t** "prop*rty" *i*l* o* *n *tt***m*nt s*l**tor, *s * *****t o* t**ir own **s**o*r*. Not* t**t t** vuln*r**ility *o*s not im

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** us*r input in V*lo*ity t*mpl*t*-**n*r*t** *TML. T** *ommit p*t** ***s XML *s**pin* vi* $*s**p*tool.xml() to t** 'n*m*' *n* 'v*lu*' *ttri*ut*s o* t** *i***n input *i*l*. T** *****t** *o** w*s *ir**tly ins*rtin* $

8.8

Basic Information

Concerned about an active attack path?

CVE-2023-29519: org.xwiki.platform:xwiki-platform-attachment-ui vulnerable to Code Injection

Impact

Patches

Workarounds

References

For more information

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI