4 matches found
CVE-2022-24898
CVE-2022-24898 affects org.xwiki.commons:xwiki-commons-xml, a common module used by XWiki projects. The issue is XML External Entity Injection via the XML script service, allowing a script to access files on the user running the XWiki server. Affected: 2.7 up to but not including patched versions...
CVE-2023-36471
CVE-2023-36471 affects XWiki Commons HTML sanitizer (XWiki Commons) where allowed tags include form/input elements. The underlying issue is that the HTML sanitizer allowed form-related tags since 14.6RC1, enabling an attacker without scripting rights to craft a form that could trigger remote code...
CVE-2023-26055
CVE-2023-26055 affects XWiki Commons. Starting with version 3.1-milestone-1, any user can edit their own profile and inject code that runs with programming privileges; the vulnerability also appears in other short text fields displayed in Apps Within Minutes. The issue has been patched in version...
CVE-2023-29528
CVE-2023-29528 concerns XWiki Commons: the historic “restricted” HTML cleaning mode could be bypassed via invalid HTML comments, enabling cross-site scripting and potentially server-side code execution with programming rights when a privileged user views a crafted comment. Root cause is the HTML ...