Lucene search
+L

49 matches found

Github Security Blog
Github Security Blog
added 2022/04/28 9:16 p.m.47 views

Arbitrary filesystem write access from velocity.

Impact The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which...

7.5CVSS0.5AI score0.01476EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2022/04/28 9:16 p.m.65 views

GHSA-CVX5-M8VG-VXGC Arbitrary filesystem write access from velocity.

Impact The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which...

7.5CVSS5.8AI score0.01476EPSS
Exploits1References6
Cvelist
Cvelist
added 2022/04/28 7:35 p.m.38 views

CVE-2022-24898 Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External...

4.9CVSS5.6AI score0.0145EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2022/04/28 7:31 p.m.34 views

Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml

Impact It's possible in a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. For example: velocity set$xml=$services.get'xml' set$xxepayload = "" set$doc=$xml.parse$xxepayload $xml.serialize$doc...

4.9CVSS1AI score0.0145EPSS
Exploits1References5Affected Software1
Github Security Blog
Github Security Blog
added 2021/07/02 7:19 p.m.99 views

A user without PR can reset user authentication failures information

Impact The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights as it should have. Note that being able to reset the authentication failure record mean that an attacker with script right might...

5.5CVSS0.2AI score0.00499EPSS
Exploits0References4Affected Software1
Prion
Prion
added 2021/07/01 5:15 p.m.27 views

Authentication flaw

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script right...

5.5CVSS5.4AI score0.00499EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2021/07/01 5:15 p.m.2 views

CVE-2021-32729

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script right...

5.5CVSS6.1AI score0.00499EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2021/03/23 10:48 p.m.69 views

Rating Script Service expose XWiki to SQL injection

Impact This issue impacts only XWiki with the Ratings API installed. The Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. Patches Th...

8.8CVSS0.2AI score0.01345EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2020/09/10 7:19 p.m.57 views

Users with SCRIPT right can execute arbitrary code in XWiki

Impact Any user with SCRIPT right EDIT right before XWiki 7.4 can gain access to the application server Servlet context which contains tools allowing to instantiate arbitrary Java objects and invoke methods that may lead to arbitrary code execution. Patches It has been patched in both version XWi...

6.6CVSS1.3AI score0.01341EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder