CVE-2023-29524

Public Exploit

Code injection from account through XWiki.SchedulerJobSheet in xwiki-platform

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass, In "Job Script", groovy code can be added and will be executed in the server context on viewing. This has been patched in XWiki 14.10.3 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this issue.

References

Link	Tags
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fc42-5w56-qw7h	vendor advisory exploit
https://jira.xwiki.org/browse/XWIKI-20295	patch exploit vendor advisory issue tracking
https://jira.xwiki.org/browse/XWIKI-20462	patch exploit vendor advisory issue tracking

Frequently Asked Questions

What is the severity of CVE-2023-29524?: CVE-2023-29524 has been scored as a critical severity vulnerability.
How to fix CVE-2023-29524?: To fix CVE-2023-29524, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2023-29524 being actively exploited in the wild?: It is possible that CVE-2023-29524 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~42% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-29524?: CVE-2023-29524 affects xwiki xwiki-platform.

Description

Category

CWE-74 – Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

References

Frequently Asked Questions