CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 2CVE-2023-36471 – HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2023-36471
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}<input type="hidden" name="content" value="{{groovy}}println("Hello from Groovy!")" />{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. • https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v https://jira.xwiki.org/browse/XCOMMONS-2634 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 1CVE-2023-29528 – Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2023-29528
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. • https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h https://jira.xwiki.org/browse/XCOMMONS-2568 https://jira.xwiki.org/browse/XWIKI-20348 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 7EXPL: 3CVE-2023-26055 – XWiki Commons may allow privilege escalation to programming rights via user's first name
https://notcve.org/view.php?id=CVE-2023-26055
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1. • https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h https://jira.xwiki.org/browse/XCOMMONS-2498 https://jira.xwiki.org/browse/XWIKI-19793 https://jira.xwiki.org/browse/XWIKI-19794 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 1CVE-2022-24898 – Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2022-24898
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. org.xwiki.commons:xwiki-commons-xml es un módulo común usado por otros proyectos de primer nivel de XWiki. A partir de la versión 2.7 y versiones anteriores a 12.10.10, 13.4.4 y 13.8-rc-1, es posible que un script acceda a cualquier archivo que acceda al usuario que ejecuta el servidor de aplicaciones XWiki con XML External Entity Injection mediante el servicio de script XML. • https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5 https://jira.xwiki.org/browse/XWIKI-18946 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 0CVE-2014-8747
https://notcve.org/view.php?id=CVE-2014-8747
Cross-site scripting (XSS) vulnerability in the Drupal Commons module 7.x-3.x before 7.x-3.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to content creation and activity stream messages. Vulnerabilidad de XSS en el módulo Drupal Commons 7.x-3.x anterior a 7.x-3.9 para Drupal permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores relacionados con la creación de contenido y mensajes del flujo de actividad. • http://osvdb.org/103288 http://secunia.com/advisories/56861 http://www.securityfocus.com/bid/65524 https://exchange.xforce.ibmcloud.com/vulnerabilities/91151 https://www.drupal.org/node/2194777 https://www.drupal.org/node/2194877 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •