CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-36094 – XWiki Platform Web Parent POM vulnerable to XSS in the attachment history
https://notcve.org/view.php?id=CVE-2022-36094
XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without updating XWiki. XWiki Platform Web Parent POM contiene recursos web para la plataforma XWiki, una plataforma wiki genérica. • https://github.com/xwiki/xwiki-platform/commit/047ce9fa4a7c13f3883438aaf54fc50f287a7e8e https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9 https://jira.xwiki.org/browse/XWIKI-19612 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36092 – XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action
https://notcve.org/view.php?id=CVE-2022-36092
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified templates. This exposes title, content and comments of any document and properties of objects, though class and property name must be known. This is also exploitable on private wikis. This has been patched in versions 14.2 and 13.10.4 by properly checking view rights before loading documents and disallowing non-default templates in the login, registration and skin action. • https://github.com/xwiki/xwiki-platform/commit/71a6d0bb6f8ab718fcfaae0e9b8c16c2d69cd4bb https://github.com/xwiki/xwiki-platform/commit/9b7057d57a941592d763992d4299456300918208 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8h89-34w2-jpfm https://jira.xwiki.org/browse/XWIKI-18602 https://jira.xwiki.org/browse/XWIKI-19549 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36091 – XWiki Platform Web Templates vulnerable to Missing Authorization and Exposure of Private Personal Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2022-36091
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By exploiting an additional vulnerability, this issue can even be exploited on private wikis at least for string properties. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-599v-w48h-rjrm https://jira.xwiki.org/browse/XWIKI-18849 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36090 – org.xwiki.platform:xwiki-platform-oldcore Improper Authorization check for inactive users
https://notcve.org/view.php?id=CVE-2022-36090
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least version 1.1 of XWiki for instance configured with the email activation required for new users. • https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgc8-gvcx-9vfx https://jira.xwiki.org/browse/XWIKI-19559 • CWE-285: Improper Authorization •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 2CVE-2022-31167 – XWiki Platform Security Parent POM vulnerable to overwriting of security rules of a page with a final page having the same reference
https://notcve.org/view.php?id=CVE-2022-31167
XWiki Platform Security Parent POM contains the security APIs for XWiki Platform, a generic wiki platform. Starting with version 5.0 and prior to 12.10.11, 13.10.1, and 13.4.6, a bug in the security cache stores rules associated to document Page1.Page2 and space Page1.Page2 in the same cache entry. That means that it's possible to overwrite the rights of a space or a document by creating the page of the space with the same name and checking the right of the new one first so that they end up in the security cache and are used for the other too. The problem has been patched in XWiki 12.10.11, 13.10.1, and 13.4.6. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gg53-wf5x-r3r6 https://jira.xwiki.org/browse/XWIKI-14075 https://jira.xwiki.org/browse/XWIKI-18983 • CWE-285: Improper Authorization CWE-862: Missing Authorization •