XWiki programming rights may be inherited by inclusion

Impact The content of a document included using include reference="targetdocument"/ is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the include macro...

CVE-2023-35155 XWiki Platform vulnerable to cross-site scripting in target parameter via share page by email

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. For instance, the following URL execute an alter on the browser:...

XWiki Platform may retrieve email addresses of all users

Impact The mail obfuscation configuration was not fully taken into account and while the mail displayed to the end user was obfuscated: - the rest response was also containing the mail unobfuscated - user were able to filter and sort on the unobfuscated allowing to infer the mail content The...

XWiki Platform's tags on non-viewable pages can be revealed to users

Impact Tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-viewable pages. Patches This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0 RC1. Workarounds There is no workaround...

GHSA-J9H5-VCGV-2JFM XWiki Platform vulnerable to RXSS via editor parameter - importinline template

Impact It's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an attachment. To reproduce: add an attachment to a page for example, your user profile add...

CVE-2023-29510

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged...

CVE-2023-29512

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page e.g., it's own user page, can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is...

Design/Logic Flaw

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on XWiki.AttachmentSelector can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is imprope...

CVE-2023-29521 Code injection from account/view through VFS Tree macro in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of...

CVE-2023-29524 Code injection from account through XWiki.SchedulerJobSheet in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a n...

CVE-2023-29525 Privilege escalation from view right on XWiki.Notifications.Code.LegacyNotificationAdministration in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Affected versions of xwiki are subject to code injection in the since parameter of the /xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration endpoint. This provides an XWik...