Platform
java
Component
xwiki-platform
Fixed in
7.2.1
CVE-2020-11057 is a critical Remote Code Execution (RCE) vulnerability affecting XWiki Platform versions 7.2 through 11.10.2. This vulnerability allows registered users lacking scripting permissions to execute Python or Groovy scripts while editing their personal dashboards, potentially leading to complete system compromise. The vulnerability has been resolved in versions 11.3.7, 11.10.3, and 12.0.
The impact of CVE-2020-11057 is severe. An attacker can leverage this vulnerability to execute arbitrary code on the XWiki server with the privileges of the user editing the dashboard. This could lead to data exfiltration, system takeover, and potentially lateral movement within the network if the XWiki server has access to other resources. The ability to execute arbitrary code opens the door to a wide range of malicious activities, including installing malware, modifying data, and disrupting services. The ease of exploitation, requiring only a registered user account, significantly expands the potential attack surface.
CVE-2020-11057 was publicly disclosed on May 12, 2020. While no active exploitation campaigns have been definitively linked to this CVE, the ease of exploitation and the critical severity make it a high-priority target. No KEV listing is currently available. Public proof-of-concept exploits are available, demonstrating the vulnerability's ease of exploitation.
Exploit Status
EPSS
1.75% (83% percentile)
CVSS Vector
The primary mitigation for CVE-2020-11057 is to upgrade XWiki Platform to version 11.10.3 or later, or to version 12.0. If immediate upgrading is not possible, consider restricting user permissions to prevent script execution within dashboards. Implement strict input validation and sanitization on all user-supplied data. Review existing dashboards for any suspicious scripts. After upgrading, verify the fix by attempting to execute a script within a user's dashboard with a non-privileged account; the script should be rejected.
Actualice XWiki Platform a la versión 11.3.7, 11.10.3 o 12.0 para corregir la vulnerabilidad de inyección de código. Esto evitará que usuarios registrados sin permisos de scripting ejecuten scripts no autorizados al editar dashboards personales.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-11057 is a critical Remote Code Execution vulnerability in XWiki Platform versions 7.2 through 11.10.2, allowing unauthorized script execution.
If you are running XWiki Platform versions 7.2 through 11.10.2, you are potentially affected by this vulnerability. Upgrade to a patched version immediately.
Upgrade XWiki Platform to version 11.10.3 or 12.0. As a temporary workaround, restrict user permissions to prevent script execution in dashboards.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a high-priority target.
Refer to the official XWiki security advisory: https://www.xwiki.com/en/security/advisories/XW-SA-2020-004/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.