CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 2CVE-2022-41928 – XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml
https://notcve.org/view.php?id=CVE-2022-41928
XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in versions 13.10.7, 14.4.2, and 14.5. The issue can be fixed on a running wiki by updating `XWiki.AttachmentSelector` with the versions below: - 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 XWiki Platform vulnerable a una Neutralización Inadecuada de Directivas en Código Evaluado Dinámicamente (""Inyección de evaluación"") en AttachmentSelector.xml. El problema también se puede reproducir insertando un payload peligroso en las propiedades macro ""height"" o ""alt"". • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9hqh-fmhg-vq2j https://jira.xwiki.org/browse/XWIKI-19800 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2022-41927 – XWiki Platform vulnerable to Cross-Site Request Forgery (CSRF) allowing to delete or rename tags
https://notcve.org/view.php?id=CVE-2022-41927
XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: ``` #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) #end ``` XWiki Platform es vulnerable a la Cross-Site Request Forgery (CSRF), que puede permitir a los atacantes eliminar o cambiar el nombre de las etiquetas sin necesidad de confirmación. El problema se solucionó en XWiki 13.10.7, 14.4.1 y 14.5RC1. • https://github.com/xwiki/xwiki-platform/commit/7fd4cda0590180c4d34f557597e9e10e263def9e https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mq7h-5574-hw9f • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-41933 – Plaintext storage of password in org.xwiki.platform:xwiki-platform-security-authentication-default
https://notcve.org/view.php?id=CVE-2022-41933
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When the `reset a forgotten password` feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and newer versions. Note that it only concerns the reset password feature available from the "Forgot your password" link in the login view: the features allowing a user to change their password, or for an admin to change a user password are not impacted. This vulnerability is particularly dangerous in combination with other vulnerabilities allowing to perform data leak of personal data from users, such as GHSA-599v-w48h-rjrm. • https://github.com/xwiki/xwiki-platform/commit/443e8398b75a1295067d74afb5898370782d863a#diff-f8a8f8ba80dfc55f044e2e60b521ce379176430ca6921b0f87b79cf682531f79L322 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-599v-w48h-rjrm https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q2hm-2h45-v5g3 https://jira.xwiki.org/browse/XWIKI-19869 https://jira.xwiki.org/browse/XWIKI-19945 • CWE-312: Cleartext Storage of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 8.2EPSS: 0%CPEs: 4EXPL: 1CVE-2022-41930 – org.xwiki.platform:xwiki-platform-user-profile-ui missing authorization to enable or disable users
https://notcve.org/view.php?id=CVE-2022-41930
org.xwiki.platform:xwiki-platform-user-profile-ui is missing authorization to enable or disable users. Any user (logged in or not) with access to the page XWiki.XWikiUserProfileSheet can enable or disable any user profile. This might allow to a disabled user to re-enable themselves, or to an attacker to disable any user of the wiki. The problem has been patched in XWiki 13.10.7, 14.5RC1 and 14.4.2. Workarounds: The problem can be patched immediately by editing the page `XWiki.XWikiUserProfileSheet` in the wiki and by performing the changes contained in https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa. • https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5v9-g8w8-5q4v https://jira.xwiki.org/browse/XWIKI-19792 • CWE-862: Missing Authorization •
CVSS: 4.9EPSS: 0%CPEs: 5EXPL: 1CVE-2022-41929 – Missing Authorization in User#setDisabledStatus in org.xwiki.platform:xwiki-platform-oldcore
https://notcve.org/view.php?id=CVE-2022-41929
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem has been patched in XWiki 13.10.7, 14.4.2 and 14.5RC1. org.xwiki.platform:xwiki-platform-oldcore carece de autorización en User#setDisabledStatus, lo que puede permitir que un usuario autorizado incorrectamente y con solo derechos de script habilite o deshabilite a un usuario. Esta operación está destinada a estar disponible sólo para usuarios con derechos de administrador. Este problema se solucionó en XWiki 13.10.7, 14.4.2 y 14.5RC1. • https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qq https://jira.xwiki.org/browse/XWIKI-19804 • CWE-862: Missing Authorization •