CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 2CVE-2023-29203 – Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
https://notcve.org/view.php?id=CVE-2023-29203
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked. The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1. • https://github.com/xwiki/xwiki-platform/pull/1883 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 9.0EPSS: 2%CPEs: 4EXPL: 2CVE-2023-29202 – org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2023-29202
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter `content` was set to `true`. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting (XSS) by specifying an RSS feed with malicious content. With the interaction of a user with programming rights, this could be used to execute arbitrary acti... • https://github.com/xwiki/xwiki-platform/commit/5c7ebe47c2897e92d8f04fe2e15027e84dc3ec03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 2%CPEs: 1EXPL: 4CVE-2023-29201 – org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2023-29201
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `