7 matches found
EUVD-2023-1273
Malicious code in bioql PyPI...
CVE-2023-29207 Improper Neutralization of Script-Related HTML Tags (XSS) in the LiveTable Macro
XWiki Commons are technical libraries common to several other top level XWiki projects. The Livetable Macro wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the Documents Macro that is included...
CVE-2023-29206 org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a...
org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
Impact There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate...
XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data
Impact A user without script rights can introduce a stored XSS by using the Live Data macro. For instance: liveData id="movies" properties="title,description" "data": "count": 1, "entries": "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "" , "meta":...
XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
Impact One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content: async async="true" groovy println"Hello from Groovy!" /groovy /async Can be done by creating a new page or even through the user profile for users not having edit...
CVE-2023-26471
XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode anything dangerous is disabled, but the async macro does not take into account the restricted mode. This means that any user with...