CVE-2023-29510 Code injection via unescaped translations in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged...

CVE-2023-29510 Code injection via unescaped translations in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged...

org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins

Impact There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate...

CVE-2022-23621

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR for example xwiki.cfg and xwiki.properties through XWikiinvokeServletAndReturnAsString as...

Partial authorization bypass on document save in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with SCRIPT right EDIT right before XWiki 7.4 can save a document with the right of the current user which allow accessing API requiring programming right if the current user has...

PT-2022-16135 · Xwiki · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 12.10.9 XWiki Platform versions prior to 13.4.3 XWiki Platform versions prior to 13.7-rc-1 Description: The issue allows any user with SCRIPT right to read any file located in the XWiki WAR, such as xwiki.cfg...

CVE-2020-15171 Users with SCRIPT rights can execute arbitrary code in XWiki

In XWiki before versions 11.10.5 or 12.2.1, any user with SCRIPT right EDIT right before XWiki 7.4 can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. The only...

GHSA-7QW5-PQHC-XM4G Users with SCRIPT right can execute arbitrary code in XWiki

Impact Any user with SCRIPT right EDIT right before XWiki 7.4 can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. Patches It has been patched in both version XWi...