CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-29214 – org.xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-29214
16 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. The problem has been patched on XWiki 14.4.7, and 14.10. • https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 2CVE-2023-29212 – xwiki.platform:xwiki-platform-panels-ui Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-29212
16 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. The problem has been patched on XWiki 14.4.7, and 14.10. • https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419b69f#diff-a51a252f0190274464027342b4e3eafc4ae32de4d9c17ef166e54fc5454c5689R214-R217 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-29211 – org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-29211
16 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter. The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10. • https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-29210 – org.xwiki.platform:xwiki-platform-notifications-ui Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-29210
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the notification filters. These macros are used in the user profiles and thus installed by default in XWiki. The vulnerabi... • https://github.com/xwiki/xwiki-platform/commit/cebf9167e4fd64a8777781fc56461e9abbe0b32a • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-29209 – org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-29209
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the macro parameters of the legacy notification activity macro. This macro is installed by default in XWiki. The vulnerability can be exploited via every wiki page ... • https://github.com/xwiki/xwiki-platform/commit/94392490884635c028199275db059a4f471e57bc • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 1CVE-2020-17354
https://notcve.org/view.php?id=CVE-2020-17354
15 Apr 2023 — LilyPond before 2.24 allows attackers to bypass the -dsafe protection mechanism via output-def-lookup or output-def-scope, as demonstrated by dangerous Scheme code in a .ly file that causes arbitrary code execution during conversion to a different file format. • http://lilypond.org/doc/v2.18/Documentation/usage/command_002dline-usage • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 59%CPEs: 1EXPL: 3CVE-2020-29007
https://notcve.org/view.php?id=CVE-2020-29007
15 Apr 2023 — The Score extension through 0.3.0 for MediaWiki has a remote code execution vulnerability due to improper sandboxing of the GNU LilyPond executable. This allows any user with an ability to edit articles (potentially including unauthenticated anonymous users) to execute arbitrary Scheme or shell code by using crafted {{Image data to generate musical scores containing malicious code. • https://github.com/seqred-s-a/cve-2020-29007 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29018 – OpenFeature Operator vulnerable to Cluster-level Privilege Escalation
https://notcve.org/view.php?id=CVE-2023-29018
14 Apr 2023 — Assuming the pre-existence of a vulnerability that allows for arbitrary code execution, an attacker could leverage the lax permissions configured on `open-feature-operator-controller-manager` to escalate the privileges of any SA in the cluster. • https://github.com/open-feature/open-feature-operator/releases/tag/v0.2.32 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2056 – DedeCMS module_main.php GetSystemFile code injection
https://notcve.org/view.php?id=CVE-2023-2056
14 Apr 2023 — The manipulation leads to code injection. ... Dank Manipulation mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. • https://gitee.com/ashe-king/cve/blob/master/dedecms%20rce2.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-47027
https://notcve.org/view.php?id=CVE-2022-47027
14 Apr 2023 — Timmystudios Fast Typing Keyboard v1.275.1.162 allows unauthorized apps to overwrite arbitrary files in its internal storage via a dictionary traversal vulnerability and achieve arbitrary code execution. • https://corporate.timmystudios.com • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •