XWiki Footnote Macro RCE < v14.10.6 and v15.1-rc-1
CVE-2023-37912 Published on October 25, 2023
XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version 15.1-rc-1 of `org.xwiki.platform:xwiki-rendering-macro-footnotes`, the footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, this allows privilege escalation from a simple user account in XWiki to programming rights and thus remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.6 and 15.1-rc-1. There is no workaround apart from upgrading to a fixed version of the footnote macro.
Vulnerability Analysis
CVE-2023-37912 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2023-37912. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Privilege Context Switching Error
The software does not properly manage privileges while it is switching between different contexts that have different privileges or spheres of control.
Products Associated with CVE-2023-37912
stack.watch emails you whenever new vulnerabilities are published in Xwiki Rendering or Xwiki. Just hit a watch button to start following.
Affected Versions
xwiki-rendering:- Version < 14.10.6 is affected.
- Version >= 15.0-rc-1, < 15.1-rc-1 is affected.
Vulnerable Packages
The following package name and versions may be associated with CVE-2023-37912
| Package Manager | Vulnerable Package | Versions | Fixed In |
|---|---|---|---|
| maven | org.xwiki.rendering:xwiki-rendering-macro-footnotes | < 14.10.6 | 14.10.6 |
| maven | org.xwiki.rendering:xwiki-rendering-macro-footnotes | >= 15.0-rc-1, < 15.1-rc-1 | 15.1-rc-1 |
| maven | org.xwiki.platform:xwiki-core-rendering-macro-footnotes | < 14.10.6 | 14.10.6 |
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.