Lucene search

PRIOn knowledge basePRION:CVE-2023-36477

HistoryJun 30, 2023 - 7:15 p.m.

Cross site scripting

2023-06-3019:15:00

PRIOn knowledge base

www.prio-n.com

xwiki platform

ckeditor space

harmful actions

removal of documents

persistent xss

patch

xwiki 14.10.6

xwiki 15.1

ckeditor integration extension

upgrade

edit rights

delete rights

user restrictions

nvd

0.001 Low

EPSS

Percentile

43.6%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents, leading to loss of service and editing the javascript configuration of CKEditor, leading to persistent XSS. This issue has been patched in XWiki 14.10.6 and XWiki 15.1. This issue has been patched on the CKEditor Integration extension 1.64.9 for XWiki version older than 14.6RC1. Users are advised to upgrade. Users unable to upgrade may manually address the issue by restricting the editanddeleterights to a trusted user or group (e.g. theXWiki.XWikiAdminGroupgroup), implicitly disabling those rights for all other users. See commit9d9d86179` for details.

CPENameOperatorVersion
ckeditor_integrationge1.9
ckeditor_integrationlt1.64.9
xwikieq15.0 rc1
xwikieq15.0
xwikige14.6
xwikilt14.10.6

Name	Operator	Version
ckeditor_integration	ge	1.9
ckeditor_integration	lt	1.64.9
xwiki	eq	15.0 rc1
xwiki	eq	15.0
xwiki	ge	14.6
xwiki	lt	14.10.6

References

github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f

github.com/xwiki/xwiki-platform/security/advisories/GHSA-793w-g325-hrw2

jira.xwiki.org/browse/CKEDITOR-508

jira.xwiki.org/browse/XWIKI-20590

0.001 Low

EPSS

Percentile

43.6%

JSON

Related for PRION:CVE-2023-36477