Page 12 of 146 results (0.007 seconds)

CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. • https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3989-4c6x-725f https://jira.xwiki.org/browse/XWIKI-20275 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 2

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes. If the button should be disabled because the user doesn't have global edit right, the app can also be created by directly opening `/xwiki/bin/view/AppWithinMinutes/CreateApplication? • https://github.com/xwiki/xwiki-platform/commit/e73b890623efa604adc484ad82f37e31596fe1a6 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-44h9-xxvx-pg6x https://jira.xwiki.org/browse/XWIKI-20190 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/xwiki/xwiki-platform/commit/7bf7094f8ffac095f5d66809af7554c9cc44de09 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9j36-3cp4-rh4j https://jira.xwiki.org/browse/XWIKI-20268 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 3

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the `distribution/firstadminuser.wiki` in the wrong context. This vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.1. There is no known workaround other than upgrading. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp36-mjw5-fmgx https://jira.xwiki.org/browse/XWIKI-19852 https://jira.xwiki.org/browse/XWIKI-20400 • CWE-284: Improper Access Control •

CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in `imported.vm`, `importinline.vm`, and `packagelist.vm`. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. • https://github.com/xwiki/xwiki-platform/commit/e4bbdc23fea0be4ef1921d1a58648028ce753344 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hg5x-3w3x-7g96 https://jira.xwiki.org/browse/XWIKI-20267 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •