13 matches found
CVE-2023-29528
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting...
Cross site scripting
XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11...
CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping o...
CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping o...
CVE-2023-29507 org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking...
CVE-2023-29209
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...
CVE-2023-29209 org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...
CVE-2023-29208 Data leak through deleted documents
XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on...
GHSA-4655-WH7V-3VMG org.xwiki.platform:xwiki-platform-logging-ui Eval Injection vulnerability
Impact Steps to reproduce: It is possible to trick a user with programming rights into visiting...
GHSA-4F8G-FQ6X-JQRR org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents
Impact Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. Patches The problem has been...
org.xwiki.platform:xwiki-platform-oldcore vulnerable to data leak through deleted documents
Impact Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. Patches The problem has been...
GHSA-3738-P9X3-MV9R XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
Impact It's possible to use the right of an existing document content author to execute a text area property. To reproduce: As an admin with programming rights, create a new user without script or programming right. Login with the freshly created user. Insert the following text in source mode in...
Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm
Impact Any user with edit right can execute arbitrary database select and access data stored in the database. To reproduce: In admin, rights, remove scripting rights for XWikiAllGroup. Create a new user without any special privileges. Create a page "Private.WebHome" with TOKEN42 as content. Go to...