CVSS: 9.9EPSS: 1%CPEs: 6EXPL: 2CVE-2023-27479 – Improper Neutralization of Directives in Dynamically Evaluated Code in org.xwiki.platform:xwiki-platform-panels-ui
https://notcve.org/view.php?id=CVE-2023-27479
07 Mar 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of UIX parameters. A proof of concept exploit is to log in, add an `XWiki.UIExtensionClass` xobject to the user profile page, with an Extension Parameters content containing `label={{/html}} {{async async="true"... • https://github.com/xwiki/xwiki-platform/commit/6de5442f3c91c3634a66c7b458d5b142e1c2a2dc • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 2CVE-2023-26056 – XWiki Platform allows macro execution as any user without programming rights through the context macro
https://notcve.org/view.php?id=CVE-2023-26056
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue. • https://github.com/xwiki/xwiki-platform/commit/4b75f212c2dd2dfc5fb5726c7830c6dbc9a425c6 • CWE-863: Incorrect Authorization •
CVSS: 9.9EPSS: 1%CPEs: 4EXPL: 1CVE-2023-26471 – XWiki Platform users may execute anything with superadmin right through comments and async macro
https://notcve.org/view.php?id=CVE-2023-26471
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 11.6-rc-1, comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled), but the async macro does not take into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin. This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. The only known workaround consists of applying a patch... • https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006 • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 1%CPEs: 5EXPL: 2CVE-2023-26472 – XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
https://notcve.org/view.php?id=CVE-2023-26472
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 6.2-milestone-1, one can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with certain content. This can be done by creating a new page or even through the user profile for users not having edit right. The issue has been patched in XWiki 14.9, 14.4.6, and 13.10.10. An available workaround is to fix the bug in the page `IconThemesCode.IconThemeSheet` by applying a modification from commit 48caf7491595238a... • https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 2CVE-2023-26473 – XWiki Platform allows unprivileged users to make arbitrary select queries using DatabaseListProperty and suggest.vm
https://notcve.org/view.php?id=CVE-2023-26473
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vpx4-7rfp-h545 • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-26474 – XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
https://notcve.org/view.php?id=CVE-2023-26474
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9r • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 29%CPEs: 4EXPL: 2CVE-2023-26475 – XWiki Platform vulnerable to Remote Code Execution in Annotations
https://notcve.org/view.php?id=CVE-2023-26475
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade. • https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7 • CWE-269: Improper Privilege Management CWE-270: Privilege Context Switching Error •
CVSS: 10.0EPSS: 54%CPEs: 3EXPL: 2CVE-2023-26477 – org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-26477
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue. • https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-26478 – org.xwiki.platform:xwiki-platform-store-filesystem-oldcore has Exposed Dangerous Method or Function
https://notcve.org/view.php?id=CVE-2023-26478
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no kn... • https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d • CWE-749: Exposed Dangerous Method or Function •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 2CVE-2023-26479 – org.xwiki.platform:xwiki-platform-rendering-parser vulnerable to Improper Handling of Exceptional Conditions
https://notcve.org/view.php?id=CVE-2023-26479
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable, including the user index (if the page containing the faulty content is a user page) and the page index. Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title ... • https://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7 • CWE-755: Improper Handling of Exceptional Conditions •