10 matches found
Cross site scripting
XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11...
CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping o...
CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping o...
CVE-2023-29507 org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking...
CVE-2023-29209
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...
CVE-2023-29209 org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...
GHSA-4655-WH7V-3VMG org.xwiki.platform:xwiki-platform-logging-ui Eval Injection vulnerability
Impact Steps to reproduce: It is possible to trick a user with programming rights into visiting...
XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data
Impact A user without script rights can introduce a stored XSS by using the Live Data macro. For instance: liveData id="movies" properties="title,description" "data": "count": 1, "entries": "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "" , "meta":...
GHSA-3738-P9X3-MV9R XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
Impact It's possible to use the right of an existing document content author to execute a text area property. To reproduce: As an admin with programming rights, create a new user without script or programming right. Login with the freshly created user. Insert the following text in source mode in...
Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm
Impact Any user with edit right can execute arbitrary database select and access data stored in the database. To reproduce: In admin, rights, remove scripting rights for XWikiAllGroup. Create a new user without any special privileges. Create a page "Private.WebHome" with TOKEN42 as content. Go to...