CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.8%
Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript.
This requires social engineer to trick a user to follow the URL.
" + alert(1) + "
(the quotes need to be part of the name)."test"
.<xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=edit
where <xwiki-server>
is the URL of your XWiki installation.This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
We’re not aware of any workaround except upgrading.
Vendor | Product | Version | CPE |
---|---|---|---|
org.xwiki.platform | xwiki-platform-oldcore | 16.0.0-rc-1 | cpe:2.3:a:org.xwiki.platform:xwiki-platform-oldcore:16.0.0-rc-1:*:*:*:*:*:*:* |
org.xwiki.platform | xwiki-platform-oldcore | * | cpe:2.3:a:org.xwiki.platform:xwiki-platform-oldcore:*:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.8%