1. Home
  2. Vulnerabilities
  3. CVE-2020-15252

CVE-2020-15252

CVSS v3.1 8.8 (High)
88% Progress
CVSS v2.0 9 (High)
90% Progress
EPSS 1.18 % (85th)
1.18% Progress
Affected Products 1
Advisories 1
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

In XWiki before version 12.5 and 11.10.6, any user with SCRIPT right (EDIT right before XWiki 7.4) can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. This is patched in XWiki 12.5 and XWiki 11.10.6.

Weaknesses
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE Status
PUBLISHED
CNA
GitHub, Inc.
Published Date
2020-10-16 17:15:11
(3 years ago)
Updated Date
2021-11-18 16:16:48
(2 years ago)

Affected Products

Xwiki

Configuration #1

    CPE23 From Up To
  Xwiki prior 11.10.6 version cpe:2.3:a:xwiki:xwiki < 11.10.6
  Xwiki from 12.0 version and prior 12.5 version cpe:2.3:a:xwiki:xwiki >= 12.0 < 12.5