3 matches found
CVE-2023-29207 Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro
XWiki Commons are technical libraries common to several other top level XWiki projects. The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents Macro that is included...
XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
Impact One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content: async async="true" groovy println"Hello from Groovy!" /groovy /async Can be done by creating a new page or even through the user profile for users not having edit...
CVE-2023-26471
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...