CVSS: 9.0EPSS: 3%CPEs: 4EXPL: 0CVE-2024-43400 – XWiki Platform allows XSS through XClass name in string properties
https://notcve.org/view.php?id=CVE-2024-43400
19 Aug 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. • https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 9.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-43401 – In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them
https://notcve.org/view.php?id=CVE-2024-43401
19 Aug 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time. This vulnerability has been patched in XWiki 15.10RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f963-4cq8-2gw7 • CWE-269: Improper Privilege Management •
CVSS: 9.1EPSS: 1%CPEs: 2EXPL: 1CVE-2024-41947 – XWiki Platform XSS through conflict resolution
https://notcve.org/view.php?id=CVE-2024-41947
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1. • https://www.exploit-db.com/exploits/52209 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 10.0EPSS: 5%CPEs: 3EXPL: 0CVE-2024-37901 – XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
https://notcve.org/view.php?id=CVE-2024-37901
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37900 – XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
https://notcve.org/view.php?id=CVE-2024-37900
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user ... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37898 – XWiki Platform vulnerable to document deletion and overwrite from edit
https://notcve.org/view.php?id=CVE-2024-37898
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When a user has view but not edit right on a page in XWiki, that user can delete the page and replace it by a page with new content without having delete right. The previous version of the page is moved into the recycle bin and can be restored from there by an admin. As the user is recorded as deleter, the user would in theory also be able to view the deleted content, but this is not directly possible as... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-33gp-gmg3-hfpq • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38369 – XWiki programming rights may be inherited by inclusion
https://notcve.org/view.php?id=CVE-2024-38369
24 Jun 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. This vulnerability has been patched in XWiki 15.0 RC1 by making the default behavior safe. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh • CWE-863: Incorrect Authorization •
CVSS: 9.0EPSS: 13%CPEs: 5EXPL: 0CVE-2024-37899 – Disabling a user account changes its author, allowing RCE from user account in XWiki
https://notcve.org/view.php?id=CVE-2024-37899
20 Jun 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/g... • https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 60%CPEs: 3EXPL: 0CVE-2024-31997 – XWiki Platform remote code execution from account through UIExtension parameters
https://notcve.org/view.php?id=CVE-2024-31997
10 Apr 2024 — XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's own profile can create UI extensions. This allows remote code execution and thereby impacts the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9-RC1. • https://github.com/xwiki/xwiki-platform/commit/171e7c7d0e56deaa7b3678657ae26ef95379b1ea • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 14%CPEs: 3EXPL: 0CVE-2024-31996 – XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution
https://notcve.org/view.php?id=CVE-2024-31996
10 Apr 2024 — XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixe... • https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •