CVE-2023-50732 HIGH

CVE-2023-50732: Velocity execution without script right through tree macro

Vendor Xwiki

Product xwiki-platform

Weakness CWE-863 · Incorrect authorization

Published December 21, 2023

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

8.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.

Key dates

02Disclosure timeline

December 21, 2023 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-50732 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/863.html

Related vulnerabilities

Identifiers

CVE CVE-2023-50732

CWE CWE-863

CVSS 8.3 / HIGH

Affected versions

Vendor Xwiki

Product xwiki-platform

Affected >= 8.3-rc-1, < 14.10.7

Vendor Xwiki

Product xwiki-platform

Affected >= 15.0-rc-1, < 15.2-rc-1

CVE-2023-50732: Velocity execution without script right through tree macro

01Description

02Disclosure timeline

03References

04Related CVE