CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 2CVE-2023-26475 – XWiki Platform vulnerable to Remote Code Execution in Annotations
https://notcve.org/view.php?id=CVE-2023-26475
XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade. • https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h6f5-8jj5-cxhr https://jira.xwiki.org/browse/XWIKI-20360 https://jira.xwiki.org/browse/XWIKI-20384 • CWE-269: Improper Privilege Management CWE-270: Privilege Context Switching Error •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2023-26476 – Two XWiki Platform UIs Expose Sensitive Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2023-26476
XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`. • https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5cf8-vrr8-8hjm https://jira.xwiki.org/browse/XWIKI-19949 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 2CVE-2023-26477 – org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-26477
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue. • https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg https://jira.xwiki.org/browse/XWIKI-19757 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 1CVE-2023-26478 – org.xwiki.platform:xwiki-platform-store-filesystem-oldcore has Exposed Dangerous Method or Function
https://notcve.org/view.php?id=CVE-2023-26478
XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue. • https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p https://jira.xwiki.org/browse/XWIKI-20180 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 2CVE-2023-26479 – org.xwiki.platform:xwiki-platform-rendering-parser vulnerable to Improper Handling of Exceptional Conditions
https://notcve.org/view.php?id=CVE-2023-26479
XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable, including the user index (if the page containing the faulty content is a user page) and the page index. Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted. This has been patched in XWiki 13.10.10, 14.4.6, and 14.9-rc-1. A temporary workaround to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e.g., `-Xss32m`). • https://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-52vf-hvv3-98h7 https://jira.xwiki.org/browse/XWIKI-19838 • CWE-755: Improper Handling of Exceptional Conditions •