Lucene search

Veracode Vulnerability DatabaseVERACODE:41106

HistoryJul 03, 2023 - 5:09 a.m.

HTML Injection

2023-07-0305:09:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

html injection

xwiki-commons-xml

htmldefinitions

html sanitizer

malicious code

xwiki.

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

62.2%

JSON

xwiki-commons-xml is vulnerable to HTML Injection. The vulnerability exists because the HTMLDefinitions function in HTMLDefinitions.java does not properly disallow form-related tags in the HTML sanitizer, which allows an attacker to inject and execute malicious code such as {{html}}{{/html}} through the context of the XWiki.

CPENameOperatorVersion
xwiki commons - xmlle14.10.5
xwiki commons - xmlle15.1
xwiki commons - xmlle14.10.5
xwiki commons - xmlle15.1

Name	Operator	Version
xwiki commons - xml	le	14.10.5
xwiki commons - xml	le	15.1
xwiki commons - xml	le	14.10.5
xwiki commons - xml	le	15.1

References

github.com/advisories/GHSA-6pqf-c99p-758v

github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3

github.com/xwiki/xwiki-commons/commit/f0bf12863e57d421b156a3115e4bb1cf8eef8cd2

github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v

jira.xwiki.org/browse/XCOMMONS-2634

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

0.002 Low

EPSS

Percentile

62.2%

JSON

Related for VERACODE:41106