3 matches found
GHSA-GPQ5-7P34-VQX5 XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode
Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content asyncdisplay reference="Menu.WebHome" //async 3. Open t...
XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode
Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content asyncdisplay reference="Menu.WebHome" //async 3. Open t...
Code injection
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either macro will be execut...