{"vulnerability": "CVE-2023-2647", "sightings": [{"uuid": "5ab02ae5-252f-42ef-a80c-b655f7e85d90", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26479", "type": "seen", "source": "https://gist.github.com/gitadta/bdcb18b2450c5561a4b69ae9327383a8", "content": "", "creation_timestamp": "2025-05-23T04:16:39.000000Z"}, {"uuid": "ddcfc24d-6c6f-44ed-8a01-509a708d5627", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26475", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/6620", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-26475\n\ud83d\udd25 CVSS Score: 10 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)\n\ud83d\udd39 Description: XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.\n\ud83d\udccf Published: 2023-03-02T18:07:04.129Z\n\ud83d\udccf Modified: 2025-03-05T21:23:14.514Z\n\ud83d\udd17 References:\n1. https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr\n2. https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7\n3. https://jira.xwiki.org/browse/XWIKI-20360\n4. https://jira.xwiki.org/browse/XWIKI-20384", "creation_timestamp": "2025-03-05T21:34:57.000000Z"}, {"uuid": "1763b6e6-e67c-4a1c-8d5d-cca313ca42d9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26474", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/6621", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-26474\n\ud83d\udd25 CVSS Score: 10 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)\n\ud83d\udd39 Description: XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.\n\ud83d\udccf Published: 2023-03-02T18:12:16.209Z\n\ud83d\udccf Modified: 2025-03-05T21:21:51.637Z\n\ud83d\udd17 References:\n1. https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9r\n2. https://jira.xwiki.org/browse/XWIKI-20373", "creation_timestamp": "2025-03-05T21:34:58.000000Z"}, {"uuid": "cf3e2465-6617-4f37-963b-0f7d5194ff6f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26472", "type": "seen", "source": "https://t.me/cibsecurity/59334", "content": "\u203c CVE-2023-26472 \u203c\n\nXWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having edit right. The issue has been patched in XWiki 14.9, 14.4.6, and 13.10.10. An available workaround is to fix the bug in the page `IconThemesCode.IconThemeSheet` by applying a modification from commit 48caf7491595238af2b531026a614221d5d61f38.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-02T22:34:36.000000Z"}, {"uuid": "eed424c5-4e79-4499-bc84-cad5e1636fa2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26477", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/6618", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-26477\n\ud83d\udd25 CVSS Score: 10 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)\n\ud83d\udd39 Description: XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue.\n\n\ud83d\udccf Published: 2023-03-02T17:52:40.359Z\n\ud83d\udccf Modified: 2025-03-05T21:27:38.903Z\n\ud83d\udd17 References:\n1. https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg\n2. https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284\n3. https://jira.xwiki.org/browse/XWIKI-19757", "creation_timestamp": "2025-03-05T21:34:52.000000Z"}, {"uuid": "5366d8be-9969-4720-ad69-27fba13c4d31", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26476", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/6619", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2023-26476\n\ud83d\udd25 CVSS Score: 7.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\ud83d\udd39 Description: XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`.\n\ud83d\udccf Published: 2023-03-02T18:02:20.328Z\n\ud83d\udccf Modified: 2025-03-05T21:24:50.665Z\n\ud83d\udd17 References:\n1. https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5cf8-vrr8-8hjm\n2. https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8\n3. https://jira.xwiki.org/browse/XWIKI-19949", "creation_timestamp": "2025-03-05T21:34:53.000000Z"}, {"uuid": "454c8fd8-f541-4e78-b0d6-9f30967e7f28", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-2647", "type": "seen", "source": "https://t.me/cibsecurity/63870", "content": "\u203c CVE-2023-2647 \u203c\n\nA vulnerability was found in Weaver E-Office 9.5 and classified as critical. Affected by this issue is some unknown functionality of the file /webroot/inc/utility_all.php of the component File Upload Handler. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-228776. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-05-11T12:15:22.000000Z"}, {"uuid": "5b97fcbb-09d2-42cd-b88c-be31d17f60a7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26470", "type": "seen", "source": "https://t.me/cibsecurity/59336", "content": "\u203c CVE-2023-26470 \u203c\n\nXWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has been patched in XWiki 14.0-rc-1.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-02T22:34:38.000000Z"}, {"uuid": "68c93607-d135-4dd4-8133-5be4277e1d33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26475", "type": "seen", "source": "https://t.me/cibsecurity/59335", "content": "\u203c CVE-2023-26475 \u203c\n\nXWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-02T22:34:37.000000Z"}, {"uuid": "c43e7004-2053-4e11-b413-04ec8de29a8c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26476", "type": "seen", "source": "https://t.me/cibsecurity/59339", "content": "\u203c CVE-2023-26476 \u203c\n\nXWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-02T22:34:44.000000Z"}, {"uuid": "e1ce9429-43ad-47d4-afcb-3e8e0668562a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26473", "type": "seen", "source": "https://t.me/cibsecurity/59338", "content": "\u203c CVE-2023-26473 \u203c\n\nXWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-02T22:34:43.000000Z"}, {"uuid": "a1bb15aa-9958-48f9-86f2-729034e48860", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26474", "type": "seen", "source": "https://t.me/cibsecurity/59332", "content": "\u203c CVE-2023-26474 \u203c\n\nXWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-02T22:34:31.000000Z"}, {"uuid": "919cbcd3-367b-48c0-8457-873f35709f89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-26471", "type": "seen", "source": "https://t.me/cibsecurity/59331", "content": "\u203c CVE-2023-26471 \u203c\n\nXWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-03-02T22:34:30.000000Z"}]}