XWiki Platform vulnerable to privilege escalation (PR) from account through TipsPanel
Impact It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. To reproduce: * Add an object of type UIExtensionClass * Set "Extension Point ID" to org.xwiki.platform.help.tipsPanel * Set "Extension ID" to org.xwiki.platform.user.test (needs....
9.9CVSS
10AI Score
0.002EPSS
XWiki Platform vulnerable to privilege escalation (PR) from account through TipsPanel
Impact It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. To reproduce: * Add an object of type UIExtensionClass * Set "Extension Point ID" to org.xwiki.platform.help.tipsPanel * Set "Extension ID" to org.xwiki.platform.user.test (needs....
9.9CVSS
10AI Score
0.002EPSS
(RHSA-2023:3198) Critical: jenkins and jenkins-2-plugins security update
Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Security Fix(es): apache-commons-text: variable interpolation RCE (CVE-2022-42889) jenkins-plugin/script-security: Sandbox bypass vulnerabilities in...
7.8AI Score
0.972EPSS
Privilege escalation (PR)/RCE from account through class sheet
Impact It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. Steps to Reproduce: Edit your user profile with the object editor and add an object of type DocumentSheetBinding with value Default Class Sheet Edit your user profile with the wiki...
9.9CVSS
6.5AI Score
0.002EPSS
Privilege escalation (PR)/RCE from account through class sheet
Impact It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. Steps to Reproduce: Edit your user profile with the object editor and add an object of type DocumentSheetBinding with value Default Class Sheet Edit your user profile with the wiki...
9.9CVSS
6.5AI Score
0.002EPSS
8.8CVSS
8.9AI Score
EPSS
7.1AI Score
0.046EPSS
8.8CVSS
7.1AI Score
0.046EPSS
The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via...
8.8CVSS
8.7AI Score
0.046EPSS
The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via...
8.8CVSS
8.7AI Score
0.046EPSS
The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via...
8.8CVSS
8.7AI Score
0.046EPSS
The integrator in Jedox GmbH Jedox 2020.2.5 allows remote authenticated users to create Jobs to execute arbitrary code via...
8.9AI Score
0.046EPSS
Xwiki is prone to a code injection...
9.9CVSS
9AI Score
0.002EPSS
XWiki 14.0-rc-1 < 14.4.7, 14.5.x < 14.10 Code Injection Vulnerability (GHSA-c5f4-p5wv-2475)
Xwiki is prone to a code injection...
9.9CVSS
9AI Score
0.002EPSS
Xwiki is prone to a code injection...
9.9CVSS
9AI Score
0.002EPSS
Xwiki is prone to a privilege escalation...
9.9CVSS
9AI Score
0.002EPSS
Xwiki is prone to a code injection...
9.9CVSS
9AI Score
0.002EPSS
Xwiki is prone to a code injection...
9.9CVSS
9AI Score
0.002EPSS
Xwiki is prone to an code injection...
9.9CVSS
9AI Score
0.002EPSS
Xwiki is prone to a privilege escalation...
9.9CVSS
9AI Score
0.002EPSS
Impact Steps to reproduce: Open...
9.9CVSS
6.7AI Score
0.003EPSS
Impact Steps to reproduce: Open...
9.9CVSS
7.4AI Score
0.003EPSS
XWiki Platform vulnerable to code injection from account through AWM view sheet
Impact Steps to reproduce: As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content {{groovy}}println("Hello " + "from Groovy!"){{/groovy}} Edit the document with the object editor and add an object of type...
9.9CVSS
6AI Score
0.001EPSS
XWiki Platform vulnerable to code injection from account through AWM view sheet
Impact Steps to reproduce: As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content {{groovy}}println("Hello " + "from Groovy!"){{/groovy}} Edit the document with the object editor and add an object of type...
9.9CVSS
5.9AI Score
0.001EPSS
XWiki Platform vulnerable to code injection from account through XWiki.SchedulerJobSheet
Impact It's possible to execute anything with the right of the Scheduler Application sheet page. To reproduce: 1. As a user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass (search for "Scheduler") 1. In "Job...
9.9CVSS
6.2AI Score
0.001EPSS
XWiki Platform vulnerable to code injection from account through XWiki.SchedulerJobSheet
Impact It's possible to execute anything with the right of the Scheduler Application sheet page. To reproduce: 1. As a user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass (search for "Scheduler") 1. In "Job...
9.9CVSS
6.3AI Score
0.001EPSS
XWiki Platform vulnerable to code injection in display method used in user profiles
Impact Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The following syntax, to be put, e.g., in the about section of the user...
9.9CVSS
7.2AI Score
0.006EPSS
XWiki Platform vulnerable to code injection in display method used in user profiles
Impact Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The following syntax, to be put, e.g., in the about section of the user...
9.9CVSS
7.4AI Score
0.006EPSS
XWiki Platform vulnerable to code injection from view right on XWiki.ClassSheet
Impact Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous...
9.9CVSS
7.5AI Score
0.004EPSS
XWiki Platform vulnerable to code injection from view right on XWiki.ClassSheet
Impact Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous...
9.9CVSS
7.3AI Score
0.004EPSS
XWiki Platform vulnerable to code injection from account/view through VFS Tree macro
Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of Macro.VFSTreeMacro. This page is not installed by default. See https://jira.xwiki.org/browse/XWIKI-20260 for the.....
8.8CVSS
6.8AI Score
0.002EPSS
XWiki Platform vulnerable to code injection from account/view through VFS Tree macro
Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of Macro.VFSTreeMacro. This page is not installed by default. See https://jira.xwiki.org/browse/XWIKI-20260 for the.....
8.8CVSS
6.7AI Score
0.002EPSS
XWiki Platform vulnerable to privilege escalation from view right using Invitation.InvitationCommon
Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of Invitation.InvitationCommon. This page is installed by default. See https://jira.xwiki.org/browse/XWIKI-20283 for....
9.9CVSS
6.8AI Score
0.002EPSS
XWiki Platform vulnerable to privilege escalation from view right using Invitation.InvitationCommon
Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of Invitation.InvitationCommon. This page is installed by default. See https://jira.xwiki.org/browse/XWIKI-20283 for....
9.9CVSS
6.7AI Score
0.002EPSS
XWiki Platform vulnerable to privilege escalation from view right on XWiki.AttachmentSelector
Impact Any user with view rights on XWiki.AttachmentSelector can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. See...
9.9CVSS
6.7AI Score
0.002EPSS
XWiki Platform vulnerable to privilege escalation from view right on XWiki.AttachmentSelector
Impact Any user with view rights on XWiki.AttachmentSelector can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. See...
9.9CVSS
6.8AI Score
0.002EPSS
XWiki vulnerable to Code Injection in template provider administration
Impact Any user with edit rights on any document (e.g., the own user profile) can execute code with programming rights, leading to remote code execution by following these steps: Set the title of any document you can edit (can be the user profile) to {{async async="true" cached="false"...
9.9CVSS
7.2AI Score
0.004EPSS
XWiki vulnerable to Code Injection in template provider administration
Impact Any user with edit rights on any document (e.g., the own user profile) can execute code with programming rights, leading to remote code execution by following these steps: Set the title of any document you can edit (can be the user profile) to {{async async="true" cached="false"...
9.9CVSS
7.1AI Score
0.004EPSS
xwiki-platform-web-templates vulnerable to Eval Injection
Impact Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm,...
9.9CVSS
6.6AI Score
0.002EPSS
xwiki-platform-web-templates vulnerable to Eval Injection
Impact Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm,...
9.9CVSS
6.4AI Score
0.002EPSS
Code injection via unescaped translations in xwiki-platform
Impact In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at.....
9.9CVSS
6.8AI Score
0.004EPSS
Code injection via unescaped translations in xwiki-platform
Impact In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at.....
9.9CVSS
6.9AI Score
0.004EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a...
9.9CVSS
8.9AI Score
0.001EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a...
9.9CVSS
8.7AI Score
0.001EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions a user without script or programming right may edit a user profile (or any other document) with the wiki editor and add groovy script content. Viewing the document after...
8.8CVSS
9.6AI Score
0.001EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a...
8.8CVSS
9.6AI Score
0.001EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions a user without script or programming right may edit a user profile (or any other document) with the wiki editor and add groovy script content. Viewing the document after...
9.9CVSS
8.8AI Score
0.001EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions a user without script or programming right may edit a user profile (or any other document) with the wiki editor and add groovy script content. Viewing the document after...
9.9CVSS
9AI Score
0.001EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of...
9.9CVSS
8.8AI Score
0.002EPSS
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of...
8.8CVSS
8.8AI Score
0.002EPSS