Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XWiki Platform's Groovy jobs check the wrong author, allowing remote code execution
Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this can be exploited for remote code execution by an attacker with edit right on the wiki. If the attack is successful, an error log entry with "Job content executed" will be produced. This vulnerability has been patched in XWiki 14.10.9 and 15.4RC1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
访问控制不恰当
Vulnerability Title
XWiki Platform 访问控制错误漏洞
Vulnerability Description
XWiki Platform是法国XWiki基金会的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在访问控制错误漏洞,该漏洞源于Groovy作业检查存在安全漏洞。具有wiki编辑权限的攻击者可利用该漏洞进行远程代码执行(RCE)。
CVSS Information
N/A
Vulnerability Type
N/A