CVE-2023-26477 Information
Description
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4 it’s possible to inject arbitrary wiki syntax including Groovy Python and Velocity script macros via the newThemeName request parameter (URL parameter) in combination with additional parameters. This has been patched in the supported versions 13.10.10 14.9-rc-1 and 14.4.6. As a workaround it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.
Reference
https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284 https://jira.xwiki.org/browse/XWIKI-19757 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg
Share on: