CVE-2026-33229
EPSS 0.07%XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
描述
### Impact An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. ### Patches The vulnerability has been patched in XWiki 17.4.8 and 17.10.1 by requiring programming right to access the affected scripting API. ### Workarounds We're not aware of any workarounds except for being careful whom you grant script right. ### Attribution We thank Youssef Azefzaf for discovering and reporting this vulnerability.
受影響套件(2)
- Maven/org.xwiki.platform:xwiki-platform-legacy-oldcore>= 17.0.0-rc-1, < 17.4.8
- Maven/org.xwiki.platform:xwiki-platform-oldcore>= 17.0.0-rc-1, < 17.4.8
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33229
- PATCHhttps://github.com/xwiki/xwiki-platform
- WEBhttps://github.com/xwiki/xwiki-platform/commit/9fe84da66184c05953df9466cf3a4acd15a46e63
- WEBhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h259-74h5-4rh9
- WEBhttps://jira.xwiki.org/browse/XWIKI-23698
- WEBhttps://jira.xwiki.org/browse/XWIKI-23702