CVE-2023-45138

2023-10-1217:15:09

CWE-79

GitHub_M

web.nvd.nist.gov

cve-2023-45138

change request

application security

script injection

remote code execution

vulnerability

nvd

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

0.003

Percentile

72.0%

JSON

Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it’s possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It’s possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the fix commit.

Affected configurations

Nvd

Vulners

Node

xwikichange_requestRange0.11–1.9.2

VendorProductVersionCPE
xwikichange_request*cpe:2.3:a:xwiki:change_request:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	change_request	*	cpe:2.3:a:xwiki:change_request::::::::

CNA Affected

[
  {
    "vendor": "xwiki-contrib",
    "product": "application-changerequest",
    "versions": [
      {
        "version": ">= 0.11, < 1.9.2",
        "status": "affected"
      }
    ]
  }
]