CVSS: 9.0EPSS: 1%CPEs: 9EXPL: 1CVE-2023-40572 – XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action
https://notcve.org/view.php?id=CVE-2023-40572
24 Aug 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. This... • https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 2%CPEs: 4EXPL: 0CVE-2023-40177 – XWiki Platform privilege escalation (PR) from account through AWM content fields
https://notcve.org/view.php?id=CVE-2023-40177
23 Aug 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation. This issue is present since version 4.3M2 when AppWithinMinutes Application added support for the Content field, allowing any wiki page (including the user profile page) to use its content as an AWM Content field, which has a custom ... • https://github.com/xwiki/xwiki-platform/commit/dfb1cde173e363ca5c12eb3654869f9719820262 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.0EPSS: 27%CPEs: 4EXPL: 0CVE-2023-40176 – SXSS in the user profile via the timezone displayer
https://notcve.org/view.php?id=CVE-2023-40176
23 Aug 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a drop down (no free text value) it can still be set from JavaScript (using the browser developer tools) or by calling the save URL on the user profile with the right query string. Once the time zone is set it is displayed... • https://github.com/xwiki/xwiki-platform/commit/d11ca5d781f8a42a85bc98eb82306c1431e764d4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 4%CPEs: 3EXPL: 2CVE-2023-37914 – Privilege escalation (PR)/RCE from account through Invitation subject/message
https://notcve.org/view.php?id=CVE-2023-37914
17 Aug 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This vulnerability has been patched on XWiki 14.4.8, 15.2-rc-1, and 14.10.6. Users are advised to upgrade. Users unable to upgrade may manually apply the patch on `Invitation.InvitationCommon` ... • https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38509 – XWiki Platform's obfuscated email addresses should not be sorted
https://notcve.org/view.php?id=CVE-2023-38509
27 Jul 2023 — XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. This has been patched in XWiki 14.10.9 and XWiki 15.3-rc-1. A workaround is to modify the page `XWiki.LiveTableResultsMacros` following the patch. XWiki Platform es una plataforma wiki genérica. • https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVSS: 9.9EPSS: 91%CPEs: 2EXPL: 2CVE-2023-37462 – Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-skin-ui
https://notcve.org/view.php?id=CVE-2023-37462
14 Jul 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a n... • https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 10.0EPSS: 2%CPEs: 2EXPL: 0CVE-2023-37277 – XWiki Platform vulnerable to cross-site request forgery (CSRF) via the REST API
https://notcve.org/view.php?id=CVE-2023-37277
10 Jul 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery. With the interaction of a user with programming rights, this allows remote code execution through script macros and thus impacts the integrity, availability and ... • https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 7%CPEs: 5EXPL: 3CVE-2023-36468 – Upgrading doesn't prevent exploiting vulnerable XWiki documents
https://notcve.org/view.php?id=CVE-2023-36468
29 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version. The severity of this depends on the fixed vulnerability, for the purpose of this advisory take CVE-2022-36100/GHSA-2g5c-228j-p52x as example - it is easily exploitabl... • https://github.com/xwiki/xwiki-platform/commit/15a6f845d8206b0ae97f37aa092ca43d4f9d6e59 • CWE-459: Incomplete Cleanup •
CVSS: 9.9EPSS: 14%CPEs: 5EXPL: 2CVE-2023-36470 – Code injection in icon themes of XWiki Platform
https://notcve.org/view.php?id=CVE-2023-36470
29 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By either creating a new or editing an existing document with an icon set, an attacker can inject XWiki syntax and Velocity code that is executed with programming rights and thus allows remote code execution. There are different attack vectors, the simplest is the Velocity code in the icon set's HTML or XWiki syntax definition. The [icon picker](https://extensions.xwiki.org/xwiki/bin/view/Extension/Icon%... • https://github.com/xwiki/xwiki-platform/commit/46b542854978e9caa687a5c2b8817b8b17877d94 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.6EPSS: 3%CPEs: 5EXPL: 0CVE-2023-35162 – XPlatform Wiki vulnerable to cross-site scripting via xcontinue parameter in preview actions template
https://notcve.org/view.php?id=CVE-2023-35162
23 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as: >