CVSS: 9.9EPSS: 9%CPEs: 2EXPL: 1CVE-2023-37912 – XWiki Rendering's footnote macro vulnerable to privilege escalation via the footnote macro
https://notcve.org/view.php?id=CVE-2023-37912
25 Oct 2023 — XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version 15.1-rc-1 of `org.xwiki.platform:xwiki-rendering-macro-footnotes`, the footnote macro executed its content in a potentially different context than the one in which it was defined. In particular in combination with the include macro, th... • https://github.com/xwiki/xwiki-rendering/commit/5f558b8fac8b716d19999225f38cb8ed0814116e • CWE-270: Privilege Context Switching Error •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2023-37908 – org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability
https://notcve.org/view.php?id=CVE-2023-37908
25 Oct 2023 — XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. The cleaning of attributes during XHTML rendering, introduced in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid attribute names. This can be exploited, e.g., via the link syntax in any content that supports XWiki syntax like comments in XWiki. When a user moves the mouse over a malicious link, the malicious JavaScript code is executed in ... • https://github.com/xwiki/xwiki-rendering/commit/f4d5acac451dccaf276e69f0b49b72221eef5d2f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-83: Improper Neutralization of Script in Attributes in a Web Page •
CVSS: 9.0EPSS: 4%CPEs: 2EXPL: 0CVE-2023-32070 – Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
https://notcve.org/view.php?id=CVE-2023-32070
10 May 2023 — XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version. • https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-83: Improper Neutralization of Script in Attributes in a Web Page •