15 matches found
EUVD-2023-0963
Malicious code in bioql PyPI...
CVE-2023-26471
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode
Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content asyncdisplay reference="Menu.WebHome" //async 3. Open t...
Code injection
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be execut...
XWiki Platform users may execute anything with superadmin right through comments and async macro
Impact Comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled but the async macro is not taking into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki conten...
GHSA-VWR6-QP4Q-2WJ7 XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
Impact One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content: async async="true" groovy println"Hello from Groovy!" /groovy /async Can be done by creating a new page or even through the user profile for users not having edit...
CVE-2023-26471
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
Design/Logic Flaw
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
CVE-2023-26471 XWiki Platform users may execute anything with superadmin right through comments and async macro
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
CVE-2023-26471
CVE-2023-26471 concerns XWiki Platform where, starting with 11.6-rc-1, comments can trigger an asynch macro that executes code with superadmin rights despite restricted mode. The underlying issue is that the async macro does not honor restricted mode, enabling any user with comment rights to run ...
CVE-2023-26471 XWiki Platform users may execute anything with superadmin right through comments and async macro
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
CVE-2023-26471 XWiki Platform users may execute anything with superadmin right through comments and async macro
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...
CVE-2023-26472 XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having ed...
CVE-2023-26472 XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having ed...
PT-2023-20662 · Xwiki · Xwiki Platform
Name of the Vulnerable Software and Affected Versions: XWiki Platform versions 11.6-rc-1 through 14.8 XWiki Platform versions 14.4.0 through 14.4.5 XWiki Platform versions 13.10.0 through 13.10.9 Description: The XWiki Platform is a generic wiki platform where comments are supposed to be executed...