CVE-2024-41947 – XWiki Platform XSS through conflict resolution
https://notcve.org/view.php?id=CVE-2024-41947
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34 https://jira.xwiki.org/browse/XWIKI-21626 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVE-2024-37901 – XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
https://notcve.org/view.php?id=CVE-2024-37901
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4 https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834 https://jira.xwiki.org/browse/XWIKI-21473 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-862: Missing Authorization •
CVE-2024-37900 – XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
https://notcve.org/view.php?id=CVE-2024-37900
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28 https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949 https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f https://jira.xwiki.org/browse/XWIKI-19602 https://jira.xwiki.org/browse/XWIKI-19611 https://jira.xwiki.org/browse& • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVE-2024-37898 – XWiki Platform vulnerable to document deletion and overwrite from edit
https://notcve.org/view.php?id=CVE-2024-37898
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored from there by an admin. As the user is recorded as deleter, the user would in theory also be able to view the deleted content, but this is not directly possible as rights of the previous version are transferred to the new page and thus the user still doesn't have view right on the page. It therefore doesn't seem to be possible to exploit this to gain any rights. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-33gp-gmg3-hfpq https://github.com/xwiki/xwiki-platform/commit/0bc27d6ec63c8a505ff950e2d1792cb4f773c22e https://github.com/xwiki/xwiki-platform/commit/56f5d8aab7371d5ba891168f73890806551322c5 https://github.com/xwiki/xwiki-platform/commit/c5efc1e519e710afdf3c5f40c0fcc300ad77149f https://github.com/xwiki/xwiki-platform/commit/e4968fe268e5644ffd9bfa4ef6257d2796446009 https://jira.xwiki.org/browse/XWIKI-21553 • CWE-862: Missing Authorization •
CVE-2024-37899 – Disabling a user account changes its author, allowing RCE from user account in XWiki
https://notcve.org/view.php?id=CVE-2024-37899
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. • https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93 https://jira.xwiki.org/browse/XWIKI-21611 • CWE-94: Improper Control of Generation of Code ('Code Injection') •