CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-41927 – XWiki Platform vulnerable to Cross-Site Request Forgery (CSRF) allowing to delete or rename tags
https://notcve.org/view.php?id=CVE-2022-41927
23 Nov 2022 — XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: ``` #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) ... • https://github.com/xwiki/xwiki-platform/commit/7fd4cda0590180c4d34f557597e9e10e263def9e • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 2CVE-2022-41928 – XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml
https://notcve.org/view.php?id=CVE-2022-41928
23 Nov 2022 — XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in versions 13.10.7, 14.4.2, and 14.5. The issue can be fixed on a running wiki by updating `XWiki.AttachmentSelector` with the versions below: - 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9hqh-fmhg-vq2j • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2022-41929 – Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
https://notcve.org/view.php?id=CVE-2022-41929
23 Nov 2022 — org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1. org.xwiki.platform:xwiki-platform-oldcore carece de autorización en User#setDisabledStatus, lo que puede permitir que un usuario autorizado incorrectamente y con solo derechos ... • https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd • CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 4EXPL: 1CVE-2022-41930 – org.xwiki.platform:xwiki-platform-user-profile-ui missing authorization to enable or disable users
https://notcve.org/view.php?id=CVE-2022-41930
23 Nov 2022 — org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. Workarounds: The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the w... • https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 2%CPEs: 6EXPL: 2CVE-2022-41931 – Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in xwiki-platform-icon-ui
https://notcve.org/view.php?id=CVE-2022-41931
23 Nov 2022 — xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the icon picker macro can execute arbitrary Groovy, Python or Velocity code in XWiki due to improper neutralization of the macro parameters of the icon picker macro. The problem has been patched in XWiki 13.10.7, 14.5 and 14.4.2. Workarounds: The [patch](https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550... • https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41932 – Creation of new database tables through login form on PostgreSQL
https://notcve.org/view.php?id=CVE-2022-41932
23 Nov 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database performance. The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4x5r-6v26-7j4v • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.9EPSS: 2%CPEs: 4EXPL: 2CVE-2022-41934 – Improper Neutralization of Directives in Dynamically Evaluated Code in org.xwiki.platform:xwiki-platform-menu-ui
https://notcve.org/view.php?id=CVE-2022-41934
23 Nov 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and parameters of the menu macro. The problem has been patched in XWiki 14.6RC1, 13.10.8 and 14.4.3. The patch (commit `2fc20891`) for the document `Menu.MenuMacro` ... • https://github.com/xwiki/xwiki-platform/commit/2fc20891e6c6b0ca05ee07e315e7f435e8919f8d • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41936 – Exposure of Private Personal Information to an Unauthorized Actor in xwiki-platform-rest-server
https://notcve.org/view.php?id=CVE-2022-41936
22 Nov 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (comments and page names etc). Users should upgrade to XWiki 14.6+, 14.4.3+, or 13.10.8+. Older versions have not been patched. • https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 9.6EPSS: 2%CPEs: 3EXPL: 0CVE-2022-41937 – Missing Authorization in XWiki Platform
https://notcve.org/view.php?id=CVE-2022-41937
22 Nov 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a workaround, setting the right of the page Filter.WebHome and making sure only the main wiki administrators can view the application installed on main wiki or edit the page and apply the changed described in commit fb49b4f. ... • https://github.com/xwiki/xwiki-platform/commit/fb49b4f289ee28e45cfada8e97e320cd3ed27113 • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 12%CPEs: 2EXPL: 2CVE-2022-36100 – XWiki Platform Applications Tag and XWiki Platform Tag UI vulnerable to Eval Injection
https://notcve.org/view.php?id=CVE-2022-36100
08 Sep 2022 — XWiki Platform Applications Tag and XWiki Platform Tag UI are tag applications for XWiki, a generic wiki platform. Starting with version 1.7 in XWiki Platform Applications Tag and prior to 13.10.6 and 14.4 in XWiki Platform Tag UI, the tags document `Main.Tags` in XWiki didn't sanitize user inputs properly. This allowed users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights. T... • https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-116: Improper Encoding or Escaping of Output •