CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 2CVE-2023-26473 – XWiki Platform allows unprivileged users to make arbitrary select queries using DatabaseListProperty and suggest.vm
https://notcve.org/view.php?id=CVE-2023-26473
XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vpx4-7rfp-h545 https://jira.xwiki.org/browse/XWIKI-19523 • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-26474 – XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
https://notcve.org/view.php?id=CVE-2023-26474
XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9r https://jira.xwiki.org/browse/XWIKI-20373 • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 2CVE-2023-26475 – XWiki Platform vulnerable to Remote Code Execution in Annotations
https://notcve.org/view.php?id=CVE-2023-26475
XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade. • https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr https://jira.xwiki.org/browse/XWIKI-20360 https://jira.xwiki.org/browse/XWIKI-20384 • CWE-269: Improper Privilege Management CWE-270: Privilege Context Switching Error •