Vulnerability Lookup

🛡️ CVE-2023-36469

🔴 CVSS 9.9 — Critical ✅ No Known Exploit CWE-74 NVD

9.9

CVSS Score

0 Low4 Medium7 High9 Critical10

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.6 and 15.2RC1. Users are advised to update. As a workaround the main security fix can be manually applied by patching the affected document `XWiki.Notifications.Code.NotificationRSSService`. This will break the link to the differences, though as this requires additional changes to Velocity templates as shown in the patch. While the default template is available in the instance and can be easily patched, the template for mentions is contained in a `.jar`-file and thus cannot be fixed without replacing that jar.

Details

Severity CRITICAL

CVSS Score 9.9

CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE CWE-74

Public Exploit ✅ No

Source NVD

Published 2023-06-30

Updated 2026-06-15

Modified 2023-11-08

Fix URL https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c

Affected Packages

Software	From version	Fixed in
org.xwiki.platform:xwiki-platform-notifications-ui	15.0-rc-1	15.2-rc-1
xwiki	—	—

References

WEB https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-94pf-92hw-2hjc

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-36469

WEB https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c

WEB https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c#diff-7221a548809fa2ba34348556f4b5bd436463c559ebdf691197932ee7ce4478ca

WEB https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c#diff-b261c6eac3108c3e6e734054c28a78f59d3439ab72fe8582dadf87670a0d15a4

PACKAGE https://github.com/xwiki/xwiki-platform

WEB https://jira.xwiki.org/browse/XWIKI-20610

🔗 NVD 🔗 Mitre ✅ Fix / Advisory

Similar Threats

Free Vulnerability Check

Is your WordPress site affected?

BotEraser helps you identify potentially vulnerable plugins and themes by checking your installation against known CVE records.

Scan My Site Free →

No credit card required · Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the vulnerabilities listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.

Is your WordPress site affected?

Company

Resources

Services

Trusted

Subscribe