6 matches found
The vulnerability of the org.xwiki.commons:xwiki-commons-xml component of the XWiki platform, a web application development platform. XWiki allows attackers to execute cross-site scripting (XSS) attacks.
The vulnerability of the org.xwiki.commons:xwiki-commons-xml component of the XWiki platform, a web application development platform, stems from the lack of measures taken to protect the website structure. Exploiting this vulnerability could allow an attacker, operating remotely, to carry out XSS...
HTML Injection
xwiki-commons-xml is vulnerable to HTML Injection. The vulnerability exists because the HTMLDefinitions function in HTMLDefinitions.java does not properly disallow form-related tags in the HTML sanitizer, which allows an attacker to inject and execute malicious code such as html/html through the...
PT-2023-8607 · Xwiki · Xwiki-Commons-Xml
Name of the Vulnerable Software and Affected Versions: org.xwiki.commons:xwiki-commons-xml versions 14.6-rc-1 through 14.10.3 org.xwiki.commons:xwiki-commons-xml versions prior to 15.0 RC1 Description: The HTML sanitizer in the org.xwiki.commons:xwiki-commons-xml library allows the injection of...
GHSA-8CW6-4R32-6R3H XWiki Platform may allow privilege escalation to programming rights via user's first name
Impact Any user can edit his own profile and inject code which is going to be executed with programming right. Steps to reproduce: Set your first name to cache id="userProfile"groovyprintln"Hello from groovy!"/groovy/cache The first name appears as interpreted "Hello from groovy" instead of the...
XML External Entity (XXE) Injection
xwiki-commons-xml is vulnerable to XML External Entity XXE Injection. The parse function of XMLUtils.java does not disable access to external entities by default, allowing an attacker to submit a malicious XML document to perform requests on behalf of the server...
CVE-2022-24898 Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External...