Script injection without script or programming rights through Gadget titles

2021-05-1818:36:16

Google

osv.dev

0.01 Low

EPSS

Percentile

83.6%

JSON

Impact

A user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard.

Patches

The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.

Workarounds

There’s no easy workaround for this issue, it is recommended to upgrade XWiki.

References

https://jira.xwiki.org/browse/XWIKI-17794

For more information

If you have any questions or comments about this advisory:

Open an issue in JIRA
Email us at XWiki security mailing-list

CPENameOperatorVersion
org.xwiki.commons:xwiki-commons-coreeq8.1-milestone-2
org.xwiki.commons:xwiki-commons-coreeq11.3.4
org.xwiki.commons:xwiki-commons-coreeq9.9-rc-2
org.xwiki.commons:xwiki-commons-coreeq5.4.4
org.xwiki.commons:xwiki-commons-coreeq5.3
org.xwiki.commons:xwiki-commons-coreeq12.6.6
org.xwiki.commons:xwiki-commons-coreeq6.2-milestone-2
org.xwiki.commons:xwiki-commons-coreeq12.3-rc-1
org.xwiki.commons:xwiki-commons-coreeq7.4.5
org.xwiki.commons:xwiki-commons-coreeq11.10.2

Name	Operator	Version
org.xwiki.commons:xwiki-commons-core	eq	8.1-milestone-2
org.xwiki.commons:xwiki-commons-core	eq	11.3.4
org.xwiki.commons:xwiki-commons-core	eq	9.9-rc-2
org.xwiki.commons:xwiki-commons-core	eq	5.4.4
org.xwiki.commons:xwiki-commons-core	eq	5.3
org.xwiki.commons:xwiki-commons-core	eq	12.6.6
org.xwiki.commons:xwiki-commons-core	eq	6.2-milestone-2
org.xwiki.commons:xwiki-commons-core	eq	12.3-rc-1
org.xwiki.commons:xwiki-commons-core	eq	7.4.5
org.xwiki.commons:xwiki-commons-core	eq	11.10.2