Pipeline: Groovy Security Vulnerabilities

Paketo Buildpacks Bionic End Of Support

The Spring Boot plugins for Maven and Gradle provide the ability to build Docker images using Cloud Native Buildpacks. By default, Spring Boot uses the CNB builders provided by the Paketo Buildpacks project. What's Changed The Paketo Buildpacks project has announced that Ubuntu 18.04 Bionic-based.....

XWiki 2.5-m-1 < 14.4.8, 14.5 < 14.10.6, 15.0-rc-1 < 15.2-rc-1 Privilege Escalation Vulnerability (GHSA-7954-6m9q-gpvf)

Xwiki is prone to a privilege escalation...

XWiki < 14.10.9, 15.0-rc-1 < 15.4-rc-1 Improper Access Control Vulnerability (GHSA-8xhr-x3v8-rghj)

XWiki is prone to an improper access control...

CVE-2023-40573

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document....

CVE-2023-40573

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document....

CVE-2023-40573

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document....

Cross site request forgery (csrf)

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document....

CVE-2023-40573 XWiki Platform's Groovy jobs check the wrong author, allowing remote code execution

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document....

XWiki Platform's Groovy jobs check the wrong author, allowing remote code execution

Impact XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this.....

XWiki Platform's Groovy jobs check the wrong author, allowing remote code execution

Impact XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this.....

XWiki Platform privilege escalation (PR)/RCE from account through Invitation subject/message

Impact Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps: Open the invitation...

XWiki Platform privilege escalation (PR)/RCE from account through Invitation subject/message

Impact Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps: Open the invitation...

XWiki 1.0B1 < 13.10.11, 14.0-rc-1 < 14.4.8, 14.5 < 14.10.1 Code Injection Vulnerability (GHSA-hg5x-3w3x-7g96)

Xwiki is prone to a code injection...

XWiki 3.1-milestone-1 < 13.10.11, 14.0-rc-1 < 14.4.8, 14.5 < 14.10.1 Code Injection Vulnerability (GHSA-9j36-3cp4-rh4j)

Xwiki is prone to a code injection...

CVE-2023-37914

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to.....

CVE-2023-37914

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to.....

CVE-2023-37914

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to.....

Remote code execution

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to.....

CVE-2023-37914 Privilege escalation (PR)/RCE from account through Invitation subject/message

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view Invitation.WebHome can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to.....

XWiki 2.0-rc-2 < 13.10.11, 14.0-rc-1 < 14.4.8, 14.5 < 14.10.1 Privilege Escalation Vulnerability (GHSA-3989-4c6x-725f)

Xwiki is prone to a privilege escalation...

XWiki 2.5-m-1 < 13.10.11, 14.0-rc-1 < 14.4.8, 14.5 < 14.10.1 Privilege Escalation Vulnerability (GHSA-px54-3w5j-qjg9)

Xwiki is prone to a privilege escalation...

XWiki 7.4-milestone-2 < 13.10.11, 14.0-rc-1 < 14.4.8, 14.5 < 14.10.2 Code Injection Vulnerability (GHSA-p67q-h88v-5jgr)

Xwiki is prone to a code injection...

XWiki 7.0-rc-1 < 14.4.8, 14.5 < 14.10.3 Code Injection Vulnerability (GHSA-mjw9-3f9f-jq2w)

Xwiki is prone to a code injection...

XWiki 3.3-milestone-1 < 13.10.11, 14.0-rc-1 < 14.4.8, 14.5 < 14.10.2 Code Injection Vulnerability (GHSA-x764-ff8r-9hpx)

Xwiki is prone to a code injection...

XWiki Platform - Remote Code Execution

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute...

XWiki 7.0-rc-1 < 14.4.8, 14.5 < 14.10.4 Code Injection Vulnerability (GHSA-h4vp-69r8-gvjg)

Xwiki is prone to a code injection...

org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability

Impact Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code...

org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability

Impact Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code...

CVE-2023-37462

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute...

CVE-2023-37462

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute...

CVE-2023-37462

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute...

Design/Logic Flaw

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute...

CVE-2023-37462 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-skin-ui

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document SkinsCode.XWikiSkinsSheet leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute...

XWiki 7.4.4 < 14.10.3 Code Injection Vulnerability (GHSA-jgrg-qvpp-9vwr)

Xwiki is prone to a code injection...

Security Bulletin: Multiple vulnerabilities of Apache Groovy (groovy-all-2.3.11.jar) have affected APM JBoss and APM WebLogic Agent [CVE-202-17521, CVE-2016-6814, CVE-2015-3253]

Summary APM JBoss and APM WebLogic Agents are vulnerable to Apache Groovy(groovy-all-2.3.11.jar). [CVE-2020-17521, CVE-2016-6814, CVE-2015-3253] The fix includes groovy-all-2.3.11.jar upgraded to groovy-all-2.5.21.jar. Vulnerability Details ** CVEID: CVE-2020-17521 DESCRIPTION: **Apache Groovy...

XWiki Platform vulnerable to Code injection through NotificationRSSService

Impact Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps: ....

XWiki Platform vulnerable to Code injection through NotificationRSSService

Impact Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps: ....

org.xwiki.commons:xwiki-commons-xml's HTML sanitizer allows form elements in restricted

Impact The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add...

org.xwiki.commons:xwiki-commons-xml's HTML sanitizer allows form elements in restricted

Impact The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add...

"Free" Evil Dead Rise movie scam lurks in Amazon listings

Scammers are using a novel technique with Amazon listings to trick fans of Evil Dead into downloads they may not want, and expensive rolling payments they have no interest in. Evil Dead Rise, the breakout horror film of 2023, started with big cinema numbers and has moved on to a victory lap in...

CVE-2023-36469

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including...

CVE-2023-36469

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including...

CVE-2023-36469

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including...

Remote code execution

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including...

CVE-2023-36469 Code injection through NotificationRSSService in XWiki Platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including...

CVE-2023-36471

Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for...

CVE-2023-36471

Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for...

CVE-2023-36471

Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for...

Input validation

Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for...

CVE-2023-36471 HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml

Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for...