Vulnerability Database
296,772
Total vulnerabilities in the database
CVE-2023-26477
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.
| Software | From | Fixed in |
|---|---|---|
| xwiki / xwiki | 14.5 | 14.9 |
| xwiki / xwiki | 14.0 | 14.4.6 |
| xwiki / xwiki | 6.2.4 | 13.10.10 |
org.xwiki.platform / xwiki-platform-flamingo-theme-ui
|
6.2.4 | 13.10.10 |
|
org.xwiki.platform / xwiki-platform-flamingo-theme-ui
|
14.0 | 14.4.6 |
|
org.xwiki.platform / xwiki-platform-flamingo-theme-ui
|
14.5 | 14.9-rc-1 |
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime