CVE-2023-40177: XWiki Platform privilege escalation (PR) from account through AWM content fields

August 21, 2023

Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation.

References

github.com/advisories/GHSA-5mf8-v43w-mfxp
github.com/xwiki/xwiki-platform/commit/dfb1cde173e363ca5c12eb3654869f9719820262
github.com/xwiki/xwiki-platform/security/advisories/GHSA-5mf8-v43w-mfxp
jira.xwiki.org/browse/XWIKI-7369

Code Behaviors & Features

Detect and mitigate CVE-2023-40177 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →