CVSS: 9.9EPSS: 17%CPEs: 2EXPL: 0CVE-2024-55662 – XWiki allows remote code execution through the extension sheet
https://notcve.org/view.php?id=CVE-2024-55662
12 Dec 2024 — XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches ... • https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46978 – Missing checks for notification filter preferences editions in XWiki Platform
https://notcve.org/view.php?id=CVE-2024-46978
18 Sep 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. • https://github.com/xwiki/xwiki-platform/commit/e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4 • CWE-648: Incorrect Use of Privileged APIs •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2024-46979 – Data leak of notification filters of users in XWiki Platform
https://notcve.org/view.php?id=CVE-2024-46979
18 Sep 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `
CVSS: 5.3EPSS: 48%CPEs: 2EXPL: 0CVE-2024-45591 – XWiki Platform document history including authors of any page exposed to unauthorized actors
https://notcve.org/view.php?id=CVE-2024-45591
10 Sep 2024 — XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing ... • https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 1%CPEs: 4EXPL: 0CVE-2024-43400 – XWiki Platform allows XSS through XClass name in string properties
https://notcve.org/view.php?id=CVE-2024-43400
19 Aug 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. • https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43401 – In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them
https://notcve.org/view.php?id=CVE-2024-43401
19 Aug 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7 • CWE-269: Improper Privilege Management •
CVSS: 9.1EPSS: 1%CPEs: 2EXPL: 1CVE-2024-41947 – XWiki Platform XSS through conflict resolution
https://notcve.org/view.php?id=CVE-2024-41947
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1. • https://www.exploit-db.com/exploits/52209 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 10.0EPSS: 5%CPEs: 3EXPL: 0CVE-2024-37901 – XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
https://notcve.org/view.php?id=CVE-2024-37901
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37900 – XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
https://notcve.org/view.php?id=CVE-2024-37900
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user ... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37898 – XWiki Platform vulnerable to document deletion and overwrite from edit
https://notcve.org/view.php?id=CVE-2024-37898
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored from there by an admin. As the user is recorded as deleter, the user would in theory also be able to view the deleted content, but this is not directly possible as... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-33gp-gmg3-hfpq • CWE-862: Missing Authorization •