VulnerableCode Package Details - pkg:maven/org.xwiki.platform/xwiki-platform-rendering-async-macro@14.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-gx1c-g91h-w3fs Aliases: CVE-2023-26471 GHSA-9cqm-5wf7-wcj7	XWiki Platform users may execute anything with superadmin right through comments and async macro XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.	14.9 Affected by 0 other vulnerabilities.
VCID-vqgg-gxsf-tqh1 Aliases: CVE-2023-29526 GHSA-gpq5-7p34-vqx5	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be executed when viewed providing a code injection vector in the context of the running server. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this issue.	14.10.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-gx1c-g91h-w3fs
Aliases:
CVE-2023-26471
GHSA-9cqm-5wf7-wcj7

XWiki Platform users may execute anything with superadmin right through comments and async macro XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`.

14.9
Affected by 0 other vulnerabilities.

VCID-vqgg-gxsf-tqh1
Aliases:
CVE-2023-29526
GHSA-gpq5-7p34-vqx5

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be executed when viewed providing a code injection vector in the context of the running server. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this issue.

14.10.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-02T16:59:23.337810+00:00	GHSA Importer	Affected by	VCID-vqgg-gxsf-tqh1	https://github.com/advisories/GHSA-gpq5-7p34-vqx5	38.1.0
2026-04-02T16:59:03.225897+00:00	GHSA Importer	Affected by	VCID-gx1c-g91h-w3fs	https://github.com/advisories/GHSA-9cqm-5wf7-wcj7	38.1.0
2026-04-01T12:51:11.700663+00:00	GitLab Importer	Affected by	VCID-vqgg-gxsf-tqh1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-rendering-async-macro/CVE-2023-29526.yml	38.0.0
2026-04-01T12:50:57.578784+00:00	GitLab Importer	Affected by	VCID-gx1c-g91h-w3fs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.xwiki.platform/xwiki-platform-rendering-async-macro/CVE-2023-26471.yml	38.0.0