CVE-2023-29516 Code injection from view right on XWiki.AttachmentSelector in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on XWiki.AttachmentSelector can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is imprope...

CVE-2022-41928 XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code 'Eval Injection' in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties. This has been patched in versions 13.10.7, 14.4.2...

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

Impact Any user with the right to edit his personal page can follow one of the scenario below: Scenario 1: - Log in as a simple user with just edit rights on the user profile - Go to the user's profile - Upload an attachment in the attachment tab at the bottom of the page any image is fine - Clic...