Lucene search
K

10 matches found

Prion
Prion
added 2023/04/16 8:15 a.m.19 views

Cross site scripting

XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11...

4.9CVSS5.1AI score0.00423EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2023/04/16 7:4 a.m.34 views

CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping o...

9.9CVSS9.8AI score0.76297EPSS
Exploits1References3
OSV
OSV
added 2023/04/16 7:4 a.m.24 views

CVE-2023-29509 org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping o...

9.9CVSS8.6AI score0.76297EPSS
Exploits1References5
Cvelist
Cvelist
added 2023/04/16 6:52 a.m.42 views

CVE-2023-29507 org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors

XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking...

9.1CVSS9.4AI score0.00899EPSS
Exploits0References3
NVD
NVD
added 2023/04/15 5:15 p.m.38 views

CVE-2023-29209

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...

9.9CVSS9.7AI score0.01144EPSS
Exploits1References3
Cvelist
Cvelist
added 2023/04/15 4:6 p.m.50 views

CVE-2023-29209 org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki...

9.9CVSS9.8AI score0.01144EPSS
Exploits1References3
OSV
OSV
added 2023/04/12 8:35 p.m.15 views

GHSA-4655-WH7V-3VMG org.xwiki.platform:xwiki-platform-logging-ui Eval Injection vulnerability

Impact Steps to reproduce: It is possible to trick a user with programming rights into visiting...

9CVSS9.4AI score0.00439EPSS
Exploits1References5
Github Security Blog
Github Security Blog
added 2023/03/03 10:53 p.m.30 views

XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data

Impact A user without script rights can introduce a stored XSS by using the Live Data macro. For instance: liveData id="movies" properties="title,description" "data": "count": 1, "entries": "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "" , "meta":...

8.9CVSS5.2AI score0.00671EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2023/03/03 10:48 p.m.27 views

GHSA-3738-P9X3-MV9R XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author

Impact It's possible to use the right of an existing document content author to execute a text area property. To reproduce: As an admin with programming rights, create a new user without script or programming right. Login with the freshly created user. Insert the following text in source mode in...

9.9CVSS9.2AI score0.00787EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2023/03/03 10:46 p.m.28 views

Unprivileged XWiki Platform users can make arbitrary select queries using DatabaseListProperty and suggest.vm

Impact Any user with edit right can execute arbitrary database select and access data stored in the database. To reproduce: In admin, rights, remove scripting rights for XWikiAllGroup. Create a new user without any special privileges. Create a page "Private.WebHome" with TOKEN42 as content. Go to...

6.5CVSS6.5AI score0.00637EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder