Page 30 of 157 results (0.114 seconds)

CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A vulnerability exists in versions prior to 12.6.88, 12.10.4, and 13.0. The script service method used to reset the authentication failures record can be executed by any user with Script rights and does not require Programming rights. An attacher with script rights who is able to reset the authentication failure record might perform a brute force attack, since they would be able to virtually deactivate the mechanism introduced to mitigate those attacks. The problem has been patched in version 12.6.8, 12.10.4 and 13.0. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m738-3rc4-5xv3 https://jira.xwiki.org/browse/XWIKI-18276 • CWE-693: Protection Mechanism Failure CWE-732: Incorrect Permission Assignment for Critical Resource •

CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 11.10.13, 12.6.7, and 12.10.2, a user disabled on a wiki using email verification for registration canouldre-activate themself by using the activation link provided for his registration. The problem has been patched in the following versions of XWiki: 11.10.13, 12.6.7, 12.10.2, 13.0. It is possible to workaround the issue by resetting the `validkey` property of the disabled XWiki users. This can be done by editing the user profile with object editor. • https://github.com/xwiki/xwiki-platform/commit/f9a677408ffb06f309be46ef9d8df1915d9099a4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-76mp-659p-rw65 https://jira.xwiki.org/browse/XWIKI-17942 • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •

CVSS: 8.8EPSS: 1%CPEs: 5EXPL: 1

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 12.6.7 and 12.10.3, a user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard. The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1. La Plataforma XWiki es una plataforma wiki genérica que ofrece servicios de ejecución para las aplicaciones construidas sobre ella. En las versiones anteriores a la versión 12.6.7 y 12.10.3, un usuario sin derecho de Script o Programación puede ejecutar un script que requiera privilegios al editar los títulos de los gadgets en el tablero. • https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc https://jay-from-future.github.io/cve/2021/06/17/xwiki-rce-cve.html https://jira.xwiki.org/browse/XWIKI-17794 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 1

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information and (if they have edit rights) fill the values of static lists using App Within Minutes. There is no easy workaround except upgrading XWiki. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5c66-v29h-xjh8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5 https://jira.xwiki.org/browse/XWIKI-17662 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •