CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 2CVE-2022-41935 – Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-livetable-ui
https://notcve.org/view.php?id=CVE-2022-41935
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users without the right to view documents can deduce their existence by repeated Livetable queries. The issue has been patched in XWiki 14.6RC1, 13.10.8, and 14.4.3, the response is not properly cleaned up of obfuscated entries. As a workaround, The patch for the document `XWiki.LiveTableResultsMacros` can be manually applied or a XAR archive of a patched version can be imported, on versions 12.10.11, 13.9-rc-1, and 13.4.4. There are no known workarounds for this issue. • https://github.com/xwiki/xwiki-platform/commit/1450b6e3c69ac7df25e5a2571186d1f43402facd#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p2x4-6ghr-6vmq https://jira.xwiki.org/browse/XWIKI-19999 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41932 – Creation of new database tables through login form on PostgreSQL
https://notcve.org/view.php?id=CVE-2022-41932
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database performance. The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4x5r-6v26-7j4v https://jira.xwiki.org/browse/XWIKI-19886 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 2CVE-2022-41928 – XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml
https://notcve.org/view.php?id=CVE-2022-41928
XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in versions 13.10.7, 14.4.2, and 14.5. The issue can be fixed on a running wiki by updating `XWiki.AttachmentSelector` with the versions below: - 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 XWiki Platform vulnerable a una Neutralización Inadecuada de Directivas en Código Evaluado Dinámicamente (""Inyección de evaluación"") en AttachmentSelector.xml. El problema también se puede reproducir insertando un payload peligroso en las propiedades macro ""height"" o ""alt"". • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9hqh-fmhg-vq2j https://jira.xwiki.org/browse/XWIKI-19800 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2022-41927 – XWiki Platform vulnerable to Cross-Site Request Forgery (CSRF) allowing to delete or rename tags
https://notcve.org/view.php?id=CVE-2022-41927
XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: ``` #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) #end ``` XWiki Platform es vulnerable a la Cross-Site Request Forgery (CSRF), que puede permitir a los atacantes eliminar o cambiar el nombre de las etiquetas sin necesidad de confirmación. El problema se solucionó en XWiki 13.10.7, 14.4.1 y 14.5RC1. • https://github.com/xwiki/xwiki-platform/commit/7fd4cda0590180c4d34f557597e9e10e263def9e https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mq7h-5574-hw9f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 1CVE-2022-41930 – org.xwiki.platform:xwiki-platform-user-profile-ui missing authorization to enable or disable users
https://notcve.org/view.php?id=CVE-2022-41930
org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. Workarounds: The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa. • https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5v9-g8w8-5q4v https://jira.xwiki.org/browse/XWIKI-19792 • CWE-862: Missing Authorization •