CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48293 – XWiki Admin Tools Application CSRF with QueryOnXWiki allows arbitrary database queries
https://notcve.org/view.php?id=CVE-2023-48293
The XWiki Admin Tools Application provides tools to help the administration of XWiki. Prior to version 4.5.1, a cross-site request forgery vulnerability in the query on XWiki tool allows executing arbitrary database queries on the database of the XWiki installation. Among other things, this allows modifying and deleting all data of the wiki. This could be both used to damage the wiki and to create an account with elevated privileges for the attacker, thus impacting the confidentiality, integrity and availability of the whole XWiki instance. A possible attack vector are comments on the wiki, by embedding an image with wiki syntax like `[[image:path:/xwiki/bin/view/Admin/QueryOnXWiki? • https://github.com/xwiki-contrib/application-admintools/commit/45298b4fbcafba6914537dcdd798a1e1385f9e46 https://github.com/xwiki-contrib/application-admintools/security/advisories/GHSA-4f4c-rhjv-4wgv https://jira.xwiki.org/browse/ADMINTOOL-92 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46243 – Code execution via the edit action in XWiki platform
https://notcve.org/view.php?id=CVE-2023-46243
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. • https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5w https://jira.xwiki.org/browse/XWIKI-20385 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46242 – Code injection in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-46242
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hgpw-6p4h-j6h5 https://jira.xwiki.org/browse/XWIKI-20386 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2023-46731 – Remote code execution through the section parameter in Administration as guest in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-46731
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki doesn't properly escape the section URL parameter that is used in the code for displaying administration sections. This allows any user with read access to the document `XWiki.AdminSheet` (by default, everyone including unauthenticated users) to execute code including Groovy code. This impacts the confidentiality, integrity and availability of the whole XWiki instance. This vulnerability has been patched in XWiki 14.10.14, 15.6 RC1 and 15.5.1. • https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803a https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803a#diff-6271f9be501f30b2ba55459eb451aee3413d34171ba8198a77c865306d174e23 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-62pr-qqf7-hh89 https://jira.xwiki.org/browse/XWIKI-21110 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.0EPSS: 0%CPEs: 14EXPL: 1CVE-2023-45134 – XWiki Platform XSS vulnerability from account in the create page form via template provider
https://notcve.org/view.php?id=CVE-2023-45134
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-1 and prior to 13.4-rc-1, `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.2 and 15.5-rc-1, and `org.xwiki.platform:xwiki-web-standard` starting in version 2.4-milestone-2 and prior to version 3.1-milestone-1 are vulnerable to cross-site scripting. An attacker can create a template provider on any document that is part of the wiki (could be the attacker's user profile) that contains malicious code. This code is executed when this template provider is selected during document creation which can be triggered by sending the user to a URL. For the attacker, the only requirement is to have an account as by default the own user profile is editable. • https://github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2e https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gr82-8fj2-ggc3 https://jira.xwiki.org/browse/XWIKI-20962 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •