Lucene search

GitHub_MCVELIST:CVE-2021-32621

HistoryMay 28, 2021 - 9:05 p.m.

CVE-2021-32621 Script injection without script or programming rights through Gadget titles

2021-05-2821:05:11

CWE-94

GitHub_M

www.cve.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.6%

JSON

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.

CNA Affected

[
  {
    "product": "xwiki-platform",
    "vendor": "xwiki",
    "versions": [
      {
        "status": "affected",
        "version": "< 12.6.7"
      },
      {
        "status": "affected",
        "version": ">= 12.10.0, < 12.10.3"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc

github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc

jay-from-future.github.io/cve/2021/06/17/xwiki-rce-cve.html

jira.xwiki.org/browse/XWIKI-17794

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.6%

JSON

Related for CVELIST:CVE-2021-32621