CVE-2023-50732

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2023-50732
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-50732.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2023-50732
Aliases
Published
2023-12-21T19:42:01.215Z
Modified
2025-12-06T00:09:27.488719Z
Severity
  • 8.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Velocity execution without script right through tree macro
Details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute a Velocity script without script right through the document tree. This has been patched in XWiki 14.10.7 and 15.2RC1.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/50xxx/CVE-2023-50732.json"
}
References

Affected packages

Git / github.com/xwiki/xwiki-commons

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-commons
Events
Introduced
d9f3a2169df747a805dba03b1170407410840501
Fixed
1e168fcaa5e247cbb1c03ee66e5cffbcd36e3d71

Git / github.com/xwiki/xwiki-platform

Affected ranges

Type
GIT
Repo
https://github.com/xwiki/xwiki-platform
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
41d7dca2d30084966ca6a7ee537f39ee8354a7e3

Affected versions

xwiki-application-calendar-1.*

xwiki-application-calendar-1.0

xwiki-platform-7.*

xwiki-platform-7.3-milestone-2
xwiki-platform-7.4-milestone-1
xwiki-platform-7.4-milestone-2

xwiki-platform-8.*

xwiki-platform-8.0-milestone-1
xwiki-platform-8.0-milestone-2
xwiki-platform-8.1-milestone-1
xwiki-platform-8.1-milestone-2
xwiki-platform-8.2-milestone-1
xwiki-platform-8.2-milestone-2
xwiki-platform-8.3-milestone-1

xwiki-platform-9.*

xwiki-platform-9.9-rc-2

xwiki-plugin-tag-1.*

xwiki-plugin-tag-1.1