CVE-2023-29514 – Code injection in template provider administration in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29514
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/xwiki/xwiki-platform/commit/7bf7094f8ffac095f5d66809af7554c9cc44de09 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9j36-3cp4-rh4j https://jira.xwiki.org/browse/XWIKI-20268 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-29513 – Users can be created even when registration is disabled without validation via the template macro in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29513
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the `distribution/firstadminuser.wiki` in the wrong context. This vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.1. There is no known workaround other than upgrading. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp36-mjw5-fmgx https://jira.xwiki.org/browse/XWIKI-19852 https://jira.xwiki.org/browse/XWIKI-20400 • CWE-284: Improper Access Control •
CVE-2023-29512 – Code injection in xwiki-platform-web-templates
https://notcve.org/view.php?id=CVE-2023-29512
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in `imported.vm`, `importinline.vm`, and `packagelist.vm`. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. • https://github.com/xwiki/xwiki-platform/commit/e4bbdc23fea0be4ef1921d1a58648028ce753344 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hg5x-3w3x-7g96 https://jira.xwiki.org/browse/XWIKI-20267 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-29510 – Code injection via unescaped translations in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29510
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. • https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw https://jira.xwiki.org/browse/XWIKI-19749 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-29522 – Code injection from view right on XWiki.ClassSheet in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29522
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. This issue has been patched in XWiki 14.4.8, 14.10.3 and 15.0RC1. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/d7e56185376641ee5d66477c6b2791ca8e85cfee https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mjw9-3f9f-jq2w https://jira.xwiki.org/browse/XWIKI-20456 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •