Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.5

Type maven

Namespace org.xwiki.platform

Name xwiki-platform-panels-ui

Version 14.5

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 14.10-rc-1

Latest_non_vulnerable_version 14.10

Affected_by_vulnerabilities

url VCID-creg-bte6-effz

vulnerability_id VCID-creg-bte6-effz

summary

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of UIX parameters. A proof of concept exploit is to log in, add an `XWiki.UIExtensionClass` xobject to the user profile page, with an Extension Parameters content containing `label={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}`. Then, navigating to `PanelsCode.ApplicationsPanelConfigurationSheet` (i.e., `<xwiki-host>/xwiki/bin/view/PanelsCode/ApplicationsPanelConfigurationSheet` where `<xwiki-host>` is the URL of your XWiki installation) should not execute the Groovy script. If it does, you will see `Hello from groovy!` displayed on the screen. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. For users unable to upgrade the issue can be fixed by editing the `PanelsCode.ApplicationsPanelConfigurationSheet` wiki page and making the same modifications as shown in commit `6de5442f3c`.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-27479

reference_id

reference_type

scores

value	0.1486
scoring_system	epss
scoring_elements	0.94657
published_at	2026-06-06T12:55:00Z

value	0.1486
scoring_system	epss
scoring_elements	0.94658
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-27479

reference_url

https://github.com/xwiki/xwiki-platform

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/xwiki/xwiki-platform

reference_url

https://github.com/xwiki/xwiki-platform/commit/6de5442f3c91c3634a66c7b458d5b142e1c2a2dc

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:47Z/

url

https://github.com/xwiki/xwiki-platform/commit/6de5442f3c91c3634a66c7b458d5b142e1c2a2dc

reference_url

https://jira.xwiki.org/browse/XWIKI-20294

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:47Z/

url

https://jira.xwiki.org/browse/XWIKI-20294

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-27479

reference_id

CVE-2023-27479

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-27479

reference_url

https://github.com/advisories/GHSA-qxjg-jhgw-qhrv

reference_id

GHSA-qxjg-jhgw-qhrv

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qxjg-jhgw-qhrv

reference_url

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qxjg-jhgw-qhrv

reference_id

GHSA-qxjg-jhgw-qhrv

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-02-25T14:29:47Z/

url

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qxjg-jhgw-qhrv

fixed_packages

url	pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10-rc-1
purl	pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10-rc-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10-rc-1

aliases CVE-2023-27479, GHSA-qxjg-jhgw-qhrv

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-creg-bte6-effz

url VCID-gwde-vgye-53f1

vulnerability_id VCID-gwde-vgye-53f1

summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.xwiki.platform:xwiki-platform-panels-ui.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-29212

reference_id

reference_type

scores

value	0.07739
scoring_system	epss
scoring_elements	0.92095
published_at	2026-06-05T12:55:00Z

value	0.07739
scoring_system	epss
scoring_elements	0.9209
published_at	2026-06-07T12:55:00Z

value	0.07739
scoring_system	epss
scoring_elements	0.92092
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-29212

reference_url

https://github.com/xwiki/xwiki-platform

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/xwiki/xwiki-platform

reference_url

https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419b69f#diff-a51a252f0190274464027342b4e3eafc4ae32de4d9c17ef166e54fc5454c5689R214-R217

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T17:03:39Z/

url

https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419b69f#diff-a51a252f0190274464027342b4e3eafc4ae32de4d9c17ef166e54fc5454c5689R214-R217

reference_url

https://jira.xwiki.org/browse/XWIKI-20293

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T17:03:39Z/

url

https://jira.xwiki.org/browse/XWIKI-20293

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-29212

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-29212

reference_url

https://github.com/advisories/GHSA-c5f4-p5wv-2475

reference_id

GHSA-c5f4-p5wv-2475

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-c5f4-p5wv-2475

reference_url

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475

reference_id

GHSA-c5f4-p5wv-2475

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T17:03:39Z/

url

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475

fixed_packages

url	pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10
purl	pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10

aliases CVE-2023-29212, GHSA-c5f4-p5wv-2475

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gwde-vgye-53f1

url VCID-wk11-e7vg-y7h4

vulnerability_id VCID-wk11-e7vg-y7h4

summary Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.xwiki.platform:xwiki-platform-panels-ui.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-29214

reference_id

reference_type

scores

value	0.06474
scoring_system	epss
scoring_elements	0.91263
published_at	2026-06-06T12:55:00Z

value	0.06474
scoring_system	epss
scoring_elements	0.9126
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-29214

reference_url

https://github.com/xwiki/xwiki-platform

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/xwiki/xwiki-platform

reference_url

https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T17:02:37Z/

url

https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67

reference_url

https://jira.xwiki.org/browse/XWIKI-20306

reference_id

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T17:02:37Z/

url

https://jira.xwiki.org/browse/XWIKI-20306

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-29214

reference_id

reference_type

scores

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-29214

reference_url

https://github.com/advisories/GHSA-qx9h-c5v6-ghqh

reference_id

GHSA-qx9h-c5v6-ghqh

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qx9h-c5v6-ghqh

reference_url

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqh

reference_id

GHSA-qx9h-c5v6-ghqh

reference_type

scores

value	10
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	9.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-02-06T17:02:37Z/

url

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqh

fixed_packages

url	pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10
purl	pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.10

aliases CVE-2023-29214, GHSA-qx9h-c5v6-ghqh

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wk11-e7vg-y7h4

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-panels-ui@14.5

Package Instance