Xwiki Rendering
CVE-2023-37912
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1Blast Radius
ecosystem impact- 1 maven packages depend on org.xwiki.rendering:xwiki-rendering-macro-footnotes (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 15.0-rc-1.
DescriptionNVD
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of org.xwiki.platform:xwiki-core-rendering-macro-footnotes and org.xwiki.platform:xwiki-rendering-macro-footnotes and prior to version 15.1-rc-1 of org.xwiki.platform:xwiki-rendering-macro-footnotes, the footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, this allows privilege escalation from a simple user account in XWiki to programming rights and thus remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.6 and 15.1-rc-1. There is no workaround apart from upgrading to a fixed version of the footnote macro.
AnalysisAI
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-270. XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of org.xwiki.platform:xwiki-core-rendering-macro-footnotes and org.xwiki.platform:xwiki-rendering-macro-footnotes and prior to version 15.1-rc-1 of org.xwiki.platform:xwiki-rendering-macro-footnotes, the footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, this allows privilege escalation from a simple user account in XWiki to programming rights and thus remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.6 and 15.1-rc-1. There is no workaround apart from upgrading to a fixed version of the footnote macro. Affected products include: Xwiki Xwiki-Rendering. Version information: version 14.10.6.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Xwiki Rendering
View allXWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Rated c
Reflected XSS in XWiki Platform versions 7.0 through 17.7.0 enables attackers to craft malicious URLs that execute arbit
Same weakness CWE-270 – Privilege Context Switching Error
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today