CVE-2023-26477
org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
In short
A vulnerability in XWiki allows attackers to inject and execute arbitrary code (Groovy, Python, Velocity scripts) through a URL parameter called 'newThemeName' when changing themes. This can completely compromise the wiki and any system it runs on.
Technical detail
CWE-95 Code Injection via the 'newThemeName' URL parameter enables unauthenticated remote code execution through wiki syntax macro injection (Groovy, Python, Velocity). Exploitation requires crafting malicious URL parameters; no authentication or special conditions are needed. Impact is critical as arbitrary code execution allows complete system compromise.
Summary generated and translated by AI from the official description.
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
xwiki · xwiki-platformWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →