XWiki Platform 代码注入漏洞

XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from the French company XWiki. A security vulnerability exists in XWiki Platform versions prior to 13.10.6 and 14.4, which stems from the fact that if a user has a view, it is possible to use the...

Jenkins Splunk Plugin Sandbox Bypass

Jenkins Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST...

GHSA-CJR8-5RW4-WH65 Jenkins Splunk Plugin Sandbox Bypass

Jenkins Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST...

Jenkins allows for Privilege Escalation by Remote Authenticated Users

The combination filter Groovy script in Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors...

Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability

Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to...

GHSA-WHF8-3H58-2W9F Jenkins Warnings Next Generation Plugin cross-site request forgery vulnerability

Jenkins Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to...

GHSA-X5JM-RJ37-5QH7 Sandbox Bypass in Script Security Plugin

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result i...

Liferay Portal and Liferay DXP Cross-Site Scripting Vulnerability (CNVD-2022-19496)

Liferay Portal and Liferay DXP are both products of Liferay, a J2EE-based portal solution that uses EJB and JMS technologies and serves as a web publishing and shared workspace, enterprise collaboration platform, social network, etc. Liferay DXP is a digital experience collaboration platform...

XWiki RCE Vulnerability (GHSA-mgjw-2wrp-r535)

Xwiki is prone to an remote code execution RCE vulnerability SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki";...

CVE-2022-23616 Remote code execution in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for an unprivileged user to perform a remote code execution by injecting a groovy script in her own profile and by calling the Reset password feature since t...

Xwiki Platform 注入漏洞

Xwiki Platform is a suite of Wiki platforms for creating Web collaboration applications from the French company Xwiki. XWiki Platform suffers from an injection vulnerability that stems from an affected version in which its unprivileged users can execute remote code execution to inject a groovy...

CVE-2020-28884

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groo...

Command injection

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groo...

CVE-2020-28884

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groo...

CVE-2020-28884

Liferay Portal Server tested on 7.3.5 GA6, 7.2.0 GA1 is affected by OS Command Injection. An administrator user can inject Groovy script to execute any OS command on the Liferay Portal Sever. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groo...

PT-2022-8909 · Liferay · Liferay Portal Server

Name of the Vulnerable Software and Affected Versions: Liferay Portal Server versions 7.2.0 GA1 through 7.3.5 GA6 Description: The issue allows an administrator user to inject Groovy script, enabling the execution of any OS command on the Liferay Portal Server. This is disputed by the developer a...

CVE-2020-28884

Liferay Portal Server versions 7.3.5 GA6 and 7.2.0 GA1 are affected by an OS command injection via Groovy Script execution. The underlying issue allows an administrator to inject Groovy scripts to run arbitrary OS commands on the Liferay Portal Server, requiring administrator privileges (PR:H) an...

CVE-2021-23259

Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotelyRCE...

Design/Logic Flaw

Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotelyRCE...

CVE-2021-23259 Groovy Sandbox Bypass

Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotelyRCE...