CRITICAL🇬🇧 English

CVE-2023-45138

CVSS 10.0v3.1pub. 2023-10-12upd. 2024-11-21

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the fix commit.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Xwiki Change Request

    APP
    Xwiki
    0.11 – 1.9.2 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
RCEXSS
CWE
Referencje

Powiązane podatności

CVE-2023-49280HIGH7.7ten sam produkt

XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly...

CVE-2025-24893CRITICAL9.8⚠ KEVPL ✓ten sam vendor

XWiki Platform — niezautoryzowany RCE przez endpoint SolrSearch

CVE-2025-65091CRITICAL10.0PL ✓ten sam vendor

SQL Injection w XWiki Full Calendar Macro — dostęp bez uwierzytelnienia

CVE-2025-55727CRITICAL10.0PL ✓ten sam vendor

XWiki Pro Macros: RCE przez brak escapowania parametru width w makro column

CVE-2025-55728CRITICAL10.0PL ✓ten sam vendor

RCE przez XWiki syntax injection w parametrze classes makra Panel