8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.7%
It’s possible to execute a Velocity script without script right through the document tree.
To reproduce:
$request.requestURI
The navigation panel displays a document named with the current URL, showing that the Velocity code has been executed even though the user doesn’t have script right.
This has been patched in XWiki 14.10.7 and 15.2RC1.
A possible workaround is to:
#set ($discard = $translatedDocument.setTitle($translatedDocument.title))
#set ($discard = $translatedDocument.setcomment(''))
If you have any questions or comments about this advisory:
8.3 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
7.3 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.7%