CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 2CVE-2023-26477 – org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-26477
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue. • https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg https://jira.xwiki.org/browse/XWIKI-19757 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2023-26479 – org.xwiki.platform:xwiki-platform-rendering-parser vulnerable to Improper Handling of Exceptional Conditions
https://notcve.org/view.php?id=CVE-2023-26479
XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable, including the user index (if the page containing the faulty content is a user page) and the page index. Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted. This has been patched in XWiki 13.10.10, 14.4.6, and 14.9-rc-1. A temporary workaround to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e.g., `-Xss32m`). • https://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-52vf-hvv3-98h7 https://jira.xwiki.org/browse/XWIKI-19838 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41932 – Creation of new database tables through login form on PostgreSQL
https://notcve.org/view.php?id=CVE-2022-41932
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database performance. The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4x5r-6v26-7j4v https://jira.xwiki.org/browse/XWIKI-19886 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2022-41927 – XWiki Platform vulnerable to Cross-Site Request Forgery (CSRF) allowing to delete or rename tags
https://notcve.org/view.php?id=CVE-2022-41927
XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: ``` #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) #end ``` XWiki Platform es vulnerable a la Cross-Site Request Forgery (CSRF), que puede permitir a los atacantes eliminar o cambiar el nombre de las etiquetas sin necesidad de confirmación. El problema se solucionó en XWiki 13.10.7, 14.4.1 y 14.5RC1. • https://github.com/xwiki/xwiki-platform/commit/7fd4cda0590180c4d34f557597e9e10e263def9e https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mq7h-5574-hw9f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.9EPSS: 0%CPEs: 5EXPL: 1CVE-2022-41929 – Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
https://notcve.org/view.php?id=CVE-2022-41929
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1. org.xwiki.platform:xwiki-platform-oldcore carece de autorización en User#setDisabledStatus, lo que puede permitir que un usuario autorizado incorrectamente y con solo derechos de script habilite o deshabilite a un usuario. Esta operación está destinada a estar disponible sólo para usuarios con derechos de administrador. Este problema se solucionó en XWiki 13.10.7, 14.4.2 y 14.5RC1. • https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qq https://jira.xwiki.org/browse/XWIKI-19804 • CWE-862: Missing Authorization •