CVE-2020-15171

In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only workaround is to give SCRIPT right only to trusted users.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

History

18 Nov 2021, 17:49

Type Values Removed Values Added
CWE CWE-94 CWE-74

Information

Published : 2020-09-10 20:15

Updated : 2023-12-10 13:27


NVD link : CVE-2020-15171

Mitre link : CVE-2020-15171

CVE.ORG link : CVE-2020-15171


JSON object : View

Products Affected

xwiki

  • xwiki
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')