Page 2 of 26 results (0.005 seconds)

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1. This vulnerability has been patched in XWiki 14.10.21, 15.5.5, 15.10.1, 16.0-rc-1. • https://github.com/xwiki/xwiki-platform/commit/e8acc9d8e6af7dfbfe70716ded431642ae4a6dd4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r95w-889q-x2gx https://jira.xwiki.org/browse/XWIKI-20337 • CWE-648: Incorrect Use of Privileged APIs •

CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to get access to notification filters of any user by using a URL such as `<hostname>xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=<username>`. This vulnerability impacts all versions of XWiki since 13.2-rc-1. The filters do not provide much information (they mainly contain references which are public data in XWiki), though some info could be used in combination with other vulnerabilities. • https://github.com/xwiki/xwiki-platform/commit/c8c6545f9bde6f5aade994aa5b5903a67b5c2582 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pg4m-3gp6-hw4w https://jira.xwiki.org/browse/XWIKI-20336 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0

XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. • https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm https://jira.xwiki.org/browse/XWIKI-22052 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-862: Missing Authorization •

CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7 https://jira.xwiki.org/browse/XWIKI-20331 https://jira.xwiki.org/browse/XWIKI-21311 https://jira.xwiki.org/browse/XWIKI-21481 https://jira.xwiki.org/browse/XWIKI-21482 https://jira.xwiki.org/browse/XWIKI-21483 https://jira.xwiki.org/browse/XWIKI-21484 https://jira.xwiki.org/browse/XWIKI-21485 https://jira.xwiki.org/browse/XWIKI-21486 https://jira.xwiki.org/browse/XWIKI-21487 https:/&#x • CWE-269: Improper Privilege Management •

CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34 https://jira.xwiki.org/browse/XWIKI-21626 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •