Page 21 of 104 results (0.004 seconds)

CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 2

XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue. • https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg https://jira.xwiki.org/browse/XWIKI-19757 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •

CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1

XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue. • https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p https://jira.xwiki.org/browse/XWIKI-20180 • CWE-749: Exposed Dangerous Method or Function •

CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2

XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable, including the user index (if the page containing the faulty content is a user page) and the page index. Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted. This has been patched in XWiki 13.10.10, 14.4.6, and 14.9-rc-1. A temporary workaround to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e.g., `-Xss32m`). • https://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-52vf-hvv3-98h7 https://jira.xwiki.org/browse/XWIKI-19838 • CWE-755: Improper Handling of Exceptional Conditions •

CVSS: 8.9EPSS: 0%CPEs: 4EXPL: 1

XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79 https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g https://jira.xwiki.org/browse/XWIKI-20143 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •