2 matches found
GHSA-2G5C-228J-P52X XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
Impact The tags document Main.Tags in XWiki didn't sanitize user inputs properly, allowing users with view rights on the document default in a public wiki or for authenticated users on private wikis to execute arbitrary Groovy, Python and Velocity code with programming rights. This allows bypassi...
XWiki Platform Web Parent POM vulnerable to XSS in the attachment history
Impact It's possible to store a JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. For example, attachment a file with name .jpg will execute the alert. Patches This issue has been patched in XWiki 13.10.6 and 14.3RC1. Workarounds I...