22 matches found
GHSA-692V-783F-MG8X XWiki Platform vulnerable to Cross-Site Scripting (XSS) through conflict resolution
Impact By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a XWiki...
GHSA-P5F8-QF24-24CJ Velocity execution without script right through tree macro
Impact It's possible to execute a Velocity script without script right through the document tree. To reproduce: As a user without script right, create a document, e.g., named Nasty Title Set the document's title to $request.requestURI Click "Save & View" Reload the page in the browser The...
XWiki Platform privilege escalation from script right to programming right through title displayer
Impact In XWiki Platform, it's possible for a user to write a script in which any velocity content is executed with the right of any other document content author. To reproduce: As a user with script but not programming right, create a document with the following content: velocity set$main =...
XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action
Impact In XWiki Platform, it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. The reason for this is that the edit action sets the content without modifying the content author. To reproduce: Log in as a...
GHSA-G9W4-PRF3-M25G Obfuscated email addresses should not be sorted
Impact The mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. See https://jira.xwiki.org/browse/XWIKI-20601 for the reproduction steps. Patches This has been patched in XWiki 14.10.9, and XWiki 15.3-rc-1. Workarounds The workaround is t...
Obfuscated email addresses should not be sorted
Impact The mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. See https://jira.xwiki.org/browse/XWIKI-20601 for the reproduction steps. Patches This has been patched in XWiki 14.10.9, and XWiki 15.3-rc-1. Workarounds The workaround is t...
GHSA-7VR7-CGHH-CH63 XWiki Platform may retrieve email addresses of all users
Impact The mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated: - the rest response was also containing the mail unobfuscated - user were able to filter and sort on the unobfuscated allowing to infer the mail content The...
XWiki Platform may retrieve email addresses of all users
Impact The mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated: - the rest response was also containing the mail unobfuscated - user were able to filter and sort on the unobfuscated allowing to infer the mail content The...
XWiki Platform's tags on non-viewable pages can be revealed to users
Impact Tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-viewable pages. Patches This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1. Workarounds There is no workaround...
GHSA-JGRG-QVPP-9VWR XWiki Platform vulnerable to code injection from account through AWM view sheet
Impact Steps to reproduce: 1. As a user without script or programming right, edit your user profile or any other document with the wiki editor and add the content groovyprintln"Hello " + "from Groovy!"/groovy 1. Edit the document with the object editor and add an object of type...
GHSA-GPQ5-7P34-VQX5 XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode
Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content asyncdisplay reference="Menu.WebHome" //async 3. Open t...
XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode
Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content asyncdisplay reference="Menu.WebHome" //async 3. Open t...
GHSA-MJW9-3F9F-JQ2W XWiki Platform vulnerable to code injection from view right on XWiki.ClassSheet
Impact Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous...
GHSA-3989-4C6X-725F XWiki Platform vulnerable to privilege escalation from view right on XWiki.AttachmentSelector
Impact Any user with view rights on XWiki.AttachmentSelector can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. See...
GHSA-HG5X-3W3X-7G96 xwiki-platform-web-templates vulnerable to Eval Injection
Impact Any user with edit rights on a page e.g., it's own user page, can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm, and...
GHSA-6VGH-9R3C-2CXP Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro
Impact The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents Macro that is included since XWiki 3.5M1 and doesn't require script rights, this can be demonstrated wit...
GHSA-GX4F-976G-7G6V XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference
Impact Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. Example to reproduce: Create a forget XAR file and inside it, have the following package.xml content: xml Helper pages...
XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference
Impact Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. Example to reproduce: Create a forget XAR file and inside it, have the following package.xml content: xml Helper pages...
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-menu-ui
Impact Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and parameters of the menu macro. The issue can ...
GHSA-JGC8-GVCX-9VFX XWiki Platform Improper Authorization check for inactive users
Impact Some resources are missing a check for inactive not yet activated or disabled users in XWiki, including the REST service: so a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default: so an inactive...