GHSA-WCG9-PGQV-XM5V XWiki Platform allows XSS through XClass name in string properties

Impact Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. Reproduction steps 1. As a user without script or programming right, create a non-terminal document...

CVE-2022-42466 XSS vulnerability, eg for String properties.

Prior to 2.0.0-M9, it was possible for an end-user to set the value of an editable string property of a domain object to a value that would be rendered unchanged when the value was saved. In particular, the end-user could enter javascript or similar and this would be executed. As of this release,...

PT-2022-23181 · Xwiki · Xwiki-Platform-Web-Templates

Name of the Vulnerable Software and Affected Versions: XWiki Platform Web Templates versions prior to 13.10.4 and 14.2 Description: The issue allows access to string and list properties of objects that the user should not have access to, including private personal information like email addresses...

Apache Struts 2 vulnerable to an arbitrary Java method execution

Overview Apache Struts 2 contains an arbitrary Java method execution vulnerability. Apache Struts 2 is a framework to create Java web applications. Apache Struts 2 contains an arbitrary Java method execution vulnerability due to improper conversion in OGNL expression if a non-string property is...