How severe is CVE-2023-26472?

This vulnerability has a severity rating of HIGH with a CVSS score of 8.8 out of 10.

What type of vulnerability is CVE-2023-26472?

This is classified as CWE-116, which is a common weakness in software security.

CVE-2023-26472 - HIGH Severity | CVSS 8.8

Vulnerability Description

XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having edit right. The issue has been patched in XWiki 14.9, 14.4.6, and 13.10.10. An available workaround is to fix the bug in the page `IconThemesCode.IconThemeSheet` by applying a modification from commit 48caf7491595238af2b531026a614221d5d61f38.

Related Vulnerabilities

CVE-2013-2011

HIGH

CVSS:8.8(High)

WordPress W3 Super Cache Plugin before 1.3.2 contains a PHP code-execution vulnerability which could allow remote attackers to inject arbitrary code. This issue exists because of an incomplete fix for...

CWE-1162013

CVE-2014-9938

HIGH

CVSS:8.8(High)

contrib/completion/git-prompt.sh in Git before 1.9.3 does not sanitize branch names in the PS1 variable, allowing a malicious repository to cause code execution.

CWE-1162014

CVE-2018-8609

HIGH

CVSS:8.8(High)

A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) version 8 when the server fails to properly sanitize web requests to an affected Dynamics server, aka "Microsoft Dy...

CWE-1162018

CVE-2020-24972

HIGH

CVSS:8.8(High)

The Kleopatra component before 3.1.12 (and before 20.07.80) for GnuPG allows remote attackers to execute arbitrary code because openpgp4fpr: URLs are supported without safe handling of command-line op...

CWE-1162020

CVE-2020-26283

HIGH

CVSS:8.8(High)

go-ipfs is an open-source golang implementation of IPFS which is a global, versioned, peer-to-peer filesystem. In go-ipfs before version 0.8.0, control characters are not escaped from console output. ...

CWE-1162020

CVE-2021-32679

HIGH

CVSS:8.8(High)

Nextcloud Server is a Nextcloud package that handles data storage. In versions prior to 19.0.13, 20.0.11, and 21.0.3, filenames where not escaped by default in controllers using `DownloadResponse`. Wh...

CWE-1162021