CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29161 – Crypto script service uses hashing algorithm SHA1 with RSA for certificate signature in xwiki-platform
https://notcve.org/view.php?id=CVE-2022-29161
05 May 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. Administrators are advise... • https://github.com/xwiki/xwiki-platform/commit/26728f3f23658288683667a5182a916c7ecefc52 • CWE-326: Inadequate Encryption Strength CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 1CVE-2022-24821 – Incorrect Use of Privileged APIs in org.xwiki.platform.skin.skinx
https://notcve.org/view.php?id=CVE-2022-24821
08 Apr 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There's no easy workaround for this issue, administrators should upgrade their wiki... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4h • CWE-648: Incorrect Use of Privileged APIs •
CVSS: 7.4EPSS: 0%CPEs: 6EXPL: 0CVE-2022-23622 – Cross site scripting in registration template in xwiki-platform
https://notcve.org/view.php?id=CVE-2022-23622
09 Feb 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in the following conditions: 1. The wiki must be open to registration for anyone. 2. The wiki must be closed to view for Guest users or more specifically the XWiki.Registration page must be forbidden in View for guest user. • https://github.com/xwiki/xwiki-platform/commit/053d957d53f2a543d158f3ab651e390d2728e0b9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •