CVSS: 10.0EPSS: 54%CPEs: 3EXPL: 2CVE-2023-26477 – org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-26477
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue. • https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 1CVE-2023-26478 – org.xwiki.platform:xwiki-platform-store-filesystem-oldcore has Exposed Dangerous Method or Function
https://notcve.org/view.php?id=CVE-2023-26478
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no kn... • https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d • CWE-749: Exposed Dangerous Method or Function •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 2CVE-2023-26479 – org.xwiki.platform:xwiki-platform-rendering-parser vulnerable to Improper Handling of Exceptional Conditions
https://notcve.org/view.php?id=CVE-2023-26479
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable, including the user index (if the page containing the faulty content is a user page) and the page index. Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title ... • https://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 8.9EPSS: 1%CPEs: 4EXPL: 1CVE-2023-26480 – XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data
https://notcve.org/view.php?id=CVE-2023-26480
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •