CVE-2023-26480 – XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data
https://notcve.org/view.php?id=CVE-2023-26480
XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79 https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g https://jira.xwiki.org/browse/XWIKI-20143 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-41932 – Creation of new database tables through login form on PostgreSQL
https://notcve.org/view.php?id=CVE-2022-41932
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database performance. The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4x5r-6v26-7j4v https://jira.xwiki.org/browse/XWIKI-19886 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2022-41936 – Exposure of Private Personal Information to an Unauthorized Actor in xwiki-platform-rest-server
https://notcve.org/view.php?id=CVE-2022-41936
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The `modifications` rest endpoint does not filter out entries according to the user's rights. Therefore, information hidden from unauthorized users are exposed though the `modifications` rest endpoint (comments and page names etc). Users should upgrade to XWiki 14.6+, 14.4.3+, or 13.10.8+. Older versions have not been patched. • https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcc https://jira.xwiki.org/browse/XWIKI-19997 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVE-2022-41937 – Missing Authorization in XWiki Platform
https://notcve.org/view.php?id=CVE-2022-41937
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The application allows anyone with view access to modify any page of the wiki by importing a crafted XAR package. The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8. As a workaround, setting the right of the page Filter.WebHome and making sure only the main wiki administrators can view the application installed on main wiki or edit the page and apply the changed described in commit fb49b4f. XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. • https://github.com/xwiki/xwiki-platform/commit/fb49b4f289ee28e45cfada8e97e320cd3ed27113 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q6jp-gcww-8v2j https://jira.xwiki.org/browse/XWIKI-19758 • CWE-862: Missing Authorization •