CVE-2023-26055
Published: 02 March 2023
Summary
CVE-2023-26055 is a critical-severity Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150) vulnerability in Xwiki Commons. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 10.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Commons, the shared technical libraries used across multiple XWiki projects, contain an improper neutralization flaw (CWE-150) that permits stored code injection. The issue affects all versions starting from 3.1-milestone-1 and manifests when short text properties are rendered, including user profile pages and any application built with Apps Within Minutes that employs a short text field.
Any authenticated user with permission to edit their own profile or comparable short text fields can supply malicious code that executes with programming rights. Because the vulnerability is exploitable over the network with low attack complexity and no user interaction, an attacker can achieve full confidentiality, integrity, and availability impact within the affected XWiki instance, including scope change to other components.
Public advisories hosted on GitHub and the corresponding XWiki JIRA issues (XCOMMONS-2498, XWIKI-19793, XWIKI-19794) state that the flaw is resolved in releases 13.10.9, 14.4.4, and 14.7RC1; administrators are advised to upgrade to one of these versions.
EPSS scores have remained low, moving only from a peak of 0.0505 to a current value of 0.0490, indicating limited observed exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-0944
Vulnerability details
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can…
more
also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.