CVE-2023-27480

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch e3527b98fd manually.

Published: Mar 7, 2023
Updated: May 9, 2024
CVE: CVE-2023-27480
GHSA: GHSA-gx4f-976g-7g6v
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.7
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWEs:

CWE-611

OWASP TOP 10:

A4 - XML External Entities (XXE)

Affected Software
References

Software	From	Fixed in
xwiki / xwiki	14.5	14.10
xwiki / xwiki	14.0	14.4.7
xwiki / xwiki	1.1-milestone4	1.1-milestone4.x
xwiki / xwiki	1.1-milestone3	1.1-milestone3.x
xwiki / xwiki	1.1.x	13.10.11
org.xwiki.platform / xwiki-platform-xar-model	1.1-milestone-3	13.10.11
org.xwiki.platform / xwiki-platform-xar-model	14.0	14.4.7
org.xwiki.platform / xwiki-platform-xar-model	14.5	14.10-rc-1

Vulnerability Database

CVE-2023-27480

Deep Security Visibility Without the Complexity