CVE-2023-26472

Description

### Impact One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content: ``` }}} {{async async="true"}} {{groovy}} println("Hello from Groovy!") {{/groovy}} {{/async}} {{{ ``` Can be done by creating a new page or even through the user profile for users not having edit right. ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds An easy workaround is to actually fix the bug in the page `IconThemesCode.IconThemeSheet` by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45 ### References https://jira.xwiki.org/browse/XWIKI-19731 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:security@xwiki.org)

How to fix CVE-2023-26472

To remediate CVE-2023-26472, upgrade the affected package to a fixed version below.

• —upgrade to 13.10.10 or later

Is CVE-2023-26472 being exploited?

Moderate — EPSS is 10.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• >= 6.2-milestone-1, < 13.10.10

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-26472
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-vwr6-qp4q-2wj7