Page 19 of 110 results (0.010 seconds)

CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1

APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. • https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8 https://github.com/xwiki/xwiki-commons/pull/127 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc https://jira.xwiki.org/browse/XWIKI-5168 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de tiempo de ejecución para aplicaciones construidas sobre ella. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qpp2-2mcp-2wm5 https://jira.xwiki.org/browse/XWIKI-16544 • CWE-306: Missing Authentication for Critical Function CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de ejecución para las aplicaciones construidas sobre ella. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf https://jira.xwiki.org/browse/XWIKI-18850 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •

CVSS: 7.4EPSS: 0%CPEs: 6EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in the following conditions: 1. The wiki must be open to registration for anyone. 2. The wiki must be closed to view for Guest users or more specifically the XWiki.Registration page must be forbidden in View for guest user. • https://github.com/xwiki/xwiki-platform/commit/053d957d53f2a543d158f3ab651e390d2728e0b9 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx6h-936c-vrrr https://jira.xwiki.org/browse/XWIKI-19291 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsString as `$xwiki.invokeServletAndReturnAsString("/WEB-INF/xwiki.cfg")`. This issue has been patched in XWiki versions 12.10.9, 13.4.3 and 13.7-rc-1. Users are advised to update. The only workaround is to limit SCRIPT right. • https://github.com/xwiki/xwiki-platform/commit/df8bd49b5a4d87a427002c6535fb5b1746ff117a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2jhm-qp48-hv5j https://jira.xwiki.org/browse/XWIKI-18870 • CWE-552: Files or Directories Accessible to External Parties CWE-862: Missing Authorization •