18 matches found
XWiki vulnerable to Denial of Service attack through attachments
Impact A user able to attach a file to a page can post a malformed TAR file by manipulating file modification times headers, which when parsed by Tika, could cause a denial of service issue via CPU consumption. Patches This vulnerability has been patched in XWiki 14.10.18, 15.5.3 and 15.8 RC1...
GHSA-RF8J-Q39G-7XFM XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
Impact Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. Patches The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. Workarounds The vulnerability can be fixed by applying this patch. ...
GHSA-JGG7-W2RJ-58CJ XWiki Platform vulnerable to privilege escalation from view right on XWiki.Notifications.Code.LegacyNotificationAdministration
Impact Steps to reproduce: Open...
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui
Impact Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The URL...
GHSA-9HQH-FMHG-VQ2J Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml
Impact Any user with the right to edit his personal page can follow one of the scenario below: Scenario 1: - Log in as a simple user with just edit rights on the user profile - Go to the user's profile - Upload an attachment in the attachment tab at the bottom of the page any image is fine - Clic...
XWiki OIDC Authenticator vulnerable to bypassing OpenID login by providing a custom provider
Impact Even if a wiki has an OpenID provider configured through its xwiki.properties, it is possible to provide a third party provider by providing its details through request parameters. One can then bypass the XWiki authentication altogether by specifying its own provider through the...
GHSA-FXWR-4VQ9-9VHJ XWiki Cross-Site Request Forgery (CSRF) for actions on tags
Impact It's possible to perform a CSRF attack for adding or removing tags on XWiki pages. Patches The problem has been patched in XWiki 13.10.5 and 14.3. Workarounds It's possible to fix the issue without upgrading by locally modifying the documentTags.vm template in your filesystem, to apply the...
GHSA-XR6M-2P4M-JVQF XWiki Platform Wiki UI Main Wiki Eval Injection vulnerability
Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the request URL parameter using the XWikiServerClassSheet if the user has view access to this sheet and another page that has been saved with programming rights, a standard condition on a...
GHSA-PH5X-H23X-7Q5Q Cross-site Scripting in wiki manager join wiki page
Impact We found a possible XSS vector in the WikiManager.JoinWiki wiki page related to the "requestJoin" field. Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. Workarounds The easiest workaround is to edit the wiki page WikiManager.JoinWiki with wiki editor and chan...
Cross-site Scripting in wiki manager join wiki page
Impact We found a possible XSS vector in the WikiManager.JoinWiki wiki page related to the "requestJoin" field. Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. Workarounds The easiest workaround is to edit the wiki page WikiManager.JoinWiki with wiki editor and chan...
GHSA-VMHH-XH3G-J992 Cross-site Scripting in the Flamingo theme manager
Impact We found a possible XSS vector in the FlamingoThemesCode.WebHomeSheet wiki page related to the "newThemeName" form field. Patches The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. Workarounds The easiest workaround is to edit the wiki page FlamingoThemesCode.WebHomeShe...
Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
Impact It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. For example: velocity set$xml=$services.get'xml' set$xxepayload = "" set$doc=$xml.parse$xxepayload $xml.serialize$doc...
GHSA-VH5C-JQFG-MHRH Cross-Site Request Forgery in xwiki-platform
Impact It's possible to know if a user has or not an account in a wiki related to an email address, and which usernames is actually tight to that email by forging a request to the Forgot username page. Note that since this page does not have a CSRF check it's quite easy to perform a lot of those...
Cross site scripting in registration template in xwiki-platform
Impact We found a possible XSS vector in the registerinline.vm template related to the xredirect hidden field. This template is only used in the following conditions: - the wiki must be open to registration for anyone - the wiki must be closed to view for Guest users more specifically the...
GHSA-V9J2-Q4Q5-CXH4 No CSRF protection on the password change form
Impact It's possible for forge an URL that, when accessed by an admin, will reset the password of any user in XWiki. Patches The problem has been patched in XWiki 12.10.5, 13.2RC1. Workarounds It's possible to apply the patch manually by modifying the registermacros.vm template like in...
GHSA-H4M4-PGP4-WHGM The reset password form reveal users email address
Impact The reset password form reveals the email address of users just by giving their username. Patches The problem has been patched on XWiki 13.2RC1. Workarounds It's possible to manually modify the resetpasswordinline.vm to perform the changes made in...
XSS Cross Site Scripting
Impact It is possible to persistently inject scripts in XWiki. For unregistred users: - By filling simple text fields For registered users: - By filling their personal information - if they have edit rights By filling the values of static lists using App Within Minutes That can lead to user's...
GHSA-79RG-7MV3-JRR5 Rating Script Service expose XWiki to SQL injection
Impact This issue impacts only XWiki with the Ratings API installed. The Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. Patches Th...