CVSS: 7.5EPSS: 38%CPEs: 4EXPL: 0CVE-2023-48241 – XWiki exposed whole content of all documents of all wikis to anybody with view right on Solr suggest service
https://notcve.org/view.php?id=CVE-2023-48241
XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 14.10.15, 15.5.1, and 15.6RC1, the Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This has been fixed in XWiki 15.6RC1, 15.5.1 and 14.10.15 by not listing documents whose rights cannot be checked. • https://github.com/xwiki/xwiki-platform/commit/93b8ec702d7075f0f5794bb05dfb651382596764 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7fqr-97j7-jgf4 https://jira.xwiki.org/browse/XWIKI-21138 • CWE-285: Improper Authorization •
CVSS: 9.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-48240 – XWiki Platform sends cookies to external images in rendered diff and is vulnerable to server side request forgery
https://notcve.org/view.php?id=CVE-2023-48240
XWiki Platform is a generic wiki platform. The rendered diff in XWiki embeds images to be able to compare the contents and not display a difference for an actually unchanged image. For this, XWiki requests all embedded images on the server side. These requests are also sent for images from other domains and include all cookies that were sent in the original request to ensure that images with restricted view right can be compared. Starting in version 11.10.1 and prior to versions 14.10.15, 15.5.1, and 15.6, this allows an attacker to steal login and session cookies that allow impersonating the current user who views the diff. • https://github.com/xwiki/xwiki-platform/commit/bff0203e739b6e3eb90af5736f04278c73c2a8bb https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7rfg-6273-f5wp https://jira.xwiki.org/browse/XWIKI-20818 • CWE-201: Insertion of Sensitive Information Into Sent Data CWE-281: Improper Preservation of Permissions CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46243 – Code execution via the edit action in XWiki platform
https://notcve.org/view.php?id=CVE-2023-46243
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. • https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5w https://jira.xwiki.org/browse/XWIKI-20385 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46242 – Code injection in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-46242
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hgpw-6p4h-j6h5 https://jira.xwiki.org/browse/XWIKI-20386 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-46244 – Privilege escalation in Xwiki platform
https://notcve.org/view.php?id=CVE-2023-46244
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to write a script in which any velocity content is executed with the right of any other document content author. Since this API require programming right and the user does not have it, the expected result is `$doc.document.authors.contentAuthor` (not executed script), unfortunately with the security vulnerability it is possible for the attacker to get `XWiki.superadmin` which shows that the title was executed with the right of the unmodified document. This has been patched in XWiki versions 14.10.7 and 15.2RC1. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/11a9170dfe63e59f4066db67f84dbfce4ed619c6 https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmxw-c48h-2vf5 https://jira.xwiki.org/browse/XWIKI-20624 https://jira.xwiki.org/browse/XWIKI-20625 • CWE-863: Incorrect Authorization •