mirror of
https://github.com/0xMarcio/cve.git
synced 2026-05-26 09:28:10 +02:00
marc
1.1 KiB
1.1 KiB
CVE-2023-26477
&color=brighgreen)
Description
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.
POC
Reference
No PoCs from references.