CVE-2023-50723: Remote code execution/programming rights with configuration section from any user account
10
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.89745%
CWE
Published
12/16/2023
Updated
12/19/2023
KEV Status
No
Technology
Java
JavaTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-administration-ui | maven | >= 2.3, < 14.10.15 | 14.10.15 |
| org.xwiki.platform:xwiki-platform-administration-ui | maven | >= 15.0-rc-1, < 15.5.2 | 15.5.2 |
| org.xwiki.platform:xwiki-platform-administration-ui | maven | >= 15.6-rc-1, < 15.7-rc-1 | 15.7-rc-1 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from multiple instances where user-controlled input (heading values, class/page names) was directly evaluated or included in templates without adequate escaping. Key evidence includes:
- The commit 1157c1e shows the addition of permission checks and escaping for heading evaluation (previously using #evaluate($heading) without safeguards).
- Commit 0f367aa demonstrates added escaping for translation macro parameters in error messages.
- Commit 749f6ae introduces escaping in another error message path. The CWEs (CWE-94/CWE-95) and reproduction steps confirm code injection via these vectors. The affected components are clearly tied to administration UI templates handling ConfigurableClass objects.