XWiki Velocity Script Exec in 14.x/15.x before 14.10.7/15.2RC1 (CVE-2023-50732)
CVE-2023-50732 Published on December 21, 2023
Velocity execution without script right through tree macro
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.
Vulnerability Analysis
CVE-2023-50732 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2023-50732 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2023-50732
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 8.3-rc-1, < 14.10.7 is affected.
- Version >= 15.0-rc-1, < 15.2-rc-1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.