SCA: security update for com.xpn.xwiki.platform:xwiki-core-rest-server, com.xpn.xwiki.platform:xwiki-rest, org.xwiki.platform:xwiki-platform-rest-server (GHSA-6xxr-648m-gch6)

critical Tenable Cloud Security Plugin ID 411724

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.
The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-
data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus
allowing cross-site request forgery. With the interaction of a user with programming rights, this allows
remote code execution through script macros and thus impacts the integrity, availability and
confidentiality of the whole XWiki installation. For regular cookie-based authentication, the
vulnerability is mitigated by SameSite cookie restrictions but as of March 2023, these are not enabled by
default in Firefox and Safari. The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a
CSRF token header for certain request types that are susceptible to CSRF attacks. (CVE-2023-37277)

See Also

https://github.com/advisories/GHSA-6xxr-648m-gch6

Plugin Details

Severity: Critical

ID: 411724

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 94.66

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-37277

CVSS v3

Risk Factor: Critical

Base Score: 9.6

Temporal Score: 8.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 7/10/2023

Vulnerability Publication Date: 7/10/2023

Reference Information

CVE: CVE-2023-37277

cwe: CWE-352