CVE-2023-26477 – org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-26477
XWiki Platform is a generic wiki platform. Starting in versions 6.3-rc-1 and 6.2.4, it's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters. This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. As a workaround, it is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from the patch fixing the issue. • https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg https://jira.xwiki.org/browse/XWIKI-19757 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVE-2023-26478 – org.xwiki.platform:xwiki-platform-store-filesystem-oldcore has Exposed Dangerous Method or Function
https://notcve.org/view.php?id=CVE-2023-26478
XWiki Platform is a generic wiki platform. Starting in version 14.3-rc-1, `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` returns an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. This has been patched in versions 14.9-rc-1 and 14.4.6. There are no known workarounds for this issue. • https://github.com/xwiki/xwiki-platform/commit/3c73c59e39b6436b1074d8834cf276916010014d https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8692-g6g9-gm5p https://jira.xwiki.org/browse/XWIKI-20180 • CWE-749: Exposed Dangerous Method or Function •
CVE-2023-26479 – org.xwiki.platform:xwiki-platform-rendering-parser vulnerable to Improper Handling of Exceptional Conditions
https://notcve.org/view.php?id=CVE-2023-26479
XWiki Platform is a generic wiki platform. Starting in version 6.0, users with write rights can insert well-formed content that is not handled well by the parser. As a consequence, some pages becomes unusable, including the user index (if the page containing the faulty content is a user page) and the page index. Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted. This has been patched in XWiki 13.10.10, 14.4.6, and 14.9-rc-1. A temporary workaround to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e.g., `-Xss32m`). • https://github.com/xwiki/xwiki-platform/commit/e5b82cd98072464196a468b8f7fe6396dce142a7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-52vf-hvv3-98h7 https://jira.xwiki.org/browse/XWIKI-19838 • CWE-755: Improper Handling of Exceptional Conditions •
CVE-2023-26480 – XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data
https://notcve.org/view.php?id=CVE-2023-26480
XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79 https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g https://jira.xwiki.org/browse/XWIKI-20143 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-22457 – org.xwiki.contrib:application-ckeditor-ui vulnerable to Remote Code Execution via Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2023-22457
CKEditor Integration UI adds support for editing wiki pages using CKEditor. Prior to versions 1.64.3,t he `CKEditor.HTMLConverter` document lacked a protection against Cross-Site Request Forgery (CSRF), allowing to execute macros with the rights of the current user. If a privileged user with programming rights was tricked into executing a GET request to this document with certain parameters (e.g., via an image with a corresponding URL embedded in a comment or via a redirect), this would allow arbitrary remote code execution and the attacker could gain rights, access private information or impact the availability of the wiki. The issue has been patched in the CKEditor Integration version 1.64.3. This has also been patched in the version of the CKEditor integration that is bundled starting with XWiki 14.6 RC1. • https://github.com/xwiki-contrib/application-ckeditor/commit/6b1053164386aefc526df7512bc664918aa6849b https://github.com/xwiki-contrib/application-ckeditor/security/advisories/GHSA-6mjp-2rm6-9g85 https://jira.xwiki.org/browse/CKEDITOR-475 • CWE-352: Cross-Site Request Forgery (CSRF) •