CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46242 – Code injection in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-46242
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hgpw-6p4h-j6h5 https://jira.xwiki.org/browse/XWIKI-20386 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-46731 – Remote code execution through the section parameter in Administration as guest in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-46731
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` (by default, everyone including unauthenticated users) to execute code including Groovy code. This impacts the confidentiality, integrity and availability of the whole XWiki instance. This vulnerability has been patched in XWiki 14.10.14, 15.6 RC1 and 15.5.1. • https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803a https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803a#diff-6271f9be501f30b2ba55459eb451aee3413d34171ba8198a77c865306d174e23 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-62pr-qqf7-hh89 https://jira.xwiki.org/browse/XWIKI-21110 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 1CVE-2023-40573 – XWiki Platform's Groovy jobs check the wrong author, allowing remote code execution
https://notcve.org/view.php?id=CVE-2023-40573
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this can be exploited for remote code execution by an attacker with edit right on the wiki. • https://github.com/xwiki/xwiki-platform/commit/fcdcfed3fe2e8a3cad66ae0610795a2d58ab9662 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8xhr-x3v8-rghj https://jira.xwiki.org/browse/XWIKI-20852 • CWE-284: Improper Access Control •
CVSS: 9.0EPSS: 0%CPEs: 9EXPL: 1CVE-2023-40572 – XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action
https://notcve.org/view.php?id=CVE-2023-40572
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation. • https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6m https://jira.xwiki.org/browse/XWIKI-20849 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-37277 – XWiki Platform vulnerable to cross-site request forgery (CSRF) via the REST API
https://notcve.org/view.php?id=CVE-2023-37277
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery. With the interaction of a user with programming rights, this allows remote code execution through script macros and thus impacts the integrity, availability and confidentiality of the whole XWiki installation. For regular cookie-based authentication, the vulnerability is mitigated by SameSite cookie restrictions but as of March 2023, these are not enabled by default in Firefox and Safari. The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a CSRF token header for certain request types that are susceptible to CSRF attacks. • https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6 https://jira.xwiki.org/browse/XWIKI-20135 • CWE-352: Cross-Site Request Forgery (CSRF) •