CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29258 – Cross-site Scripting in Filter Stream Converter Application in XWiki Platform
https://notcve.org/view.php?id=CVE-2022-29258
XWiki Platform Filter UI provides a generic user interface to convert from a XWiki Filter input stream to an output stream with settings for each stream. Starting with versions 6.0-milestone-2 and 5.4.4 and prior to versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3, XWiki Platform Filter UI contains a possible cross-site scripting vector in the `Filter.FilterStreamDescriptorForm` wiki page related to pretty much all the form fields printed in the home page of the application. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest workaround is to edit the wiki page `Filter.FilterStreamDescriptorForm` (with wiki editor) according to the instructions in the GitHub Security Advisory. La interfaz de usuario del filtro de la plataforma XWiki proporciona una interfaz de usuario genérica para convertir de un flujo de entrada del filtro XWiki a un flujo de salida con ajustes para cada flujo. • https://github.com/xwiki/xwiki-platform/commit/21906acb5ee2304552f56f9bbdbf8e7d368f7f3a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xjfw-5vv5-vjq2 https://jira.xwiki.org/browse/XWIKI-19293 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-116: Improper Encoding or Escaping of Output •
CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0CVE-2022-29251 – Cross-site Scripting in the Flamingo theme manager
https://notcve.org/view.php?id=CVE-2022-29251
XWiki Platform Flamingo Theme UI is a tool that allows customization and preview of any Flamingo-based skin. Starting with versions 6.2.4 and 6.3-rc-1, a possible cross-site scripting vector is present in the `FlamingoThemesCode.WebHomeSheet` wiki page related to the "newThemeName" form field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `FlamingoThemesCode.WebHomeSheet` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory. XWiki Platform Flamingo Theme UI es una herramienta que permite personalizar y previsualizar cualquier skin basado en Flamingo. • https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vmhh-xh3g-j992 https://jira.xwiki.org/browse/XWIKI-19294 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-116: Improper Encoding or Escaping of Output •
CVSS: 7.4EPSS: 0%CPEs: 4EXPL: 0CVE-2022-29252 – Cross-site Scripting in XWiki Platform Wiki UI Main Wiki
https://notcve.org/view.php?id=CVE-2022-29252
XWiki Platform Wiki UI Main Wiki is a package for managing subwikis. Starting with version 5.3-milestone-2, XWiki Platform Wiki UI Main Wiki contains a possible cross-site scripting vector in the `WikiManager.JoinWiki ` wiki page related to the "requestJoin" field. The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, and 13.10.3. The easiest available workaround is to edit the wiki page `WikiManager.JoinWiki` (with wiki editor) according to the suggestion provided in the GitHub Security Advisory. XWiki Platform Wiki UI Main Wiki es un paquete para administrar subwikis. • https://github.com/xwiki/xwiki-platform/commit/27f839133d41877e538d35fa88274b50a1c00b9b https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ph5x-h23x-7q5q https://jira.xwiki.org/browse/XWIKI-19292 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) CWE-116: Improper Encoding or Escaping of Output •
CVSS: 4.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29253 – Path Traversal in XWiki Platform
https://notcve.org/view.php?id=CVE-2022-29253
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. The issue is patched in versions 14.0 and 13.10.3. There is no easy workaround for this issue. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de tiempo de ejecución para las aplicaciones construidas sobre ella. • https://github.com/xwiki/xwiki-platform/commit/4917c8f355717bb636d763844528b1fe0f95e8e2 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9qrp-h7fw-42hg https://jira.xwiki.org/browse/XWIKI-19349 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-24: Path Traversal: '../filedir' •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29161 – Crypto script service uses hashing algorithm SHA1 with RSA for certificate signature in xwiki-platform
https://notcve.org/view.php?id=CVE-2022-29161
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. Administrators are advised to upgrade their XWiki installation to one of the patched versions. • https://github.com/xwiki/xwiki-platform/commit/26728f3f23658288683667a5182a916c7ecefc52 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h8v5-p258-pqf4 https://jira.xwiki.org/browse/XWIKI-19676 • CWE-326: Inadequate Encryption Strength CWE-327: Use of a Broken or Risky Cryptographic Algorithm •