CVE-2023-29526

Description

### Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content ```{{async}}{{display reference="Menu.WebHome" /}}{{/async}}``` 3. Open the comments viewer from the menu (appends ?viewer=comments to the URL) -> the `Menu.WebHome` is displayed while the expectation would be to have an error that the current user is not allowed to see it ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. ### Workarounds There is no known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20394 https://jira.xwiki.org/browse/XRENDERING-694 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

How to fix CVE-2023-29526

To remediate CVE-2023-29526, upgrade the affected package to a fixed version below.

• —upgrade to 13.10.11 or later
• —upgrade to 13.10.11 or later

Is CVE-2023-29526 being exploited?

Moderate — EPSS is 22.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• >= 10.11.1, < 13.10.11
• >= 10.11.1, < 13.10.11

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-29526
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-gpq5-7p34-vqx5
• WEBjira.xwiki.org/browse/XRENDERING-694
• WEB