CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2023-34466 – XWiki Platform's tags on non-viewable pages can be revealed to users
https://notcve.org/view.php?id=CVE-2023-34466
23 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.0-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, tags from pages not viewable to the current user are leaked by the tags API. This information can also be exploited to infer the document reference of non-viewable pages. This vulnerability has been patched in XWiki 14.4.8, 14.10.4, and 15.0-rc-1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7f2f-pcv3-j2r7 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 1CVE-2023-34465 – XWiki Platform's Mail.MailConfig can be edited by any user with edit rights
https://notcve.org/view.php?id=CVE-2023-34465
23 Jun 2023 — XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the `Mail.MailConfig` page can be manually updated so that only a... • https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1 • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 1%CPEs: 3EXPL: 2CVE-2023-34464 – XWiki vulnerable to stored cross-site scripting via any wiki document and the displaycontent/rendercontent template
https://notcve.org/view.php?id=CVE-2023-34464
23 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-site scripting attack. The attack occurs by putting plain HTML code into that document and then tr... • https://github.com/xwiki/xwiki-platform/commit/53e8292a31ec70fba5e1d705a4ac443658b9e6df • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 30%CPEs: 1EXPL: 1CVE-2023-35166 – Privilege escalation (PR) from account through TipsPanel
https://notcve.org/view.php?id=CVE-2023-35166
20 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5. • https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c28b3263#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 47%CPEs: 2EXPL: 0CVE-2023-32068 – URL Redirection to Untrusted Site in XWiki
https://notcve.org/view.php?id=CVE-2023-32068
15 May 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 14.10.4 it's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in the past for XWiki 12.10.7 and 13.3RC1 but there is still the possibility to force specific URLs to skip some checks, e.g. using URLs like `http:example.com` in the parameter would allow the redirect. The issue has now been patched a... • https://github.com/xwiki/xwiki-platform/commit/e4f7f68e93cb08c25632c126356d218abf192d1e • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.0EPSS: 4%CPEs: 2EXPL: 0CVE-2023-32070 – Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
https://notcve.org/view.php?id=CVE-2023-32070
10 May 2023 — XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version. • https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-83: Improper Neutralization of Script in Attributes in a Web Page •
CVSS: 9.0EPSS: 47%CPEs: 3EXPL: 0CVE-2023-32071 – XWiki Platform vulnerable to RXSS via editor parameter - importinline template
https://notcve.org/view.php?id=CVE-2023-32071
09 May 2023 — XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an attachment. This has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. The easiest possible workaround is to edit file `
CVSS: 9.9EPSS: 3%CPEs: 2EXPL: 0CVE-2023-32069 – XWiki Platform privilege escalation (PR)/RCE from account through class sheet
https://notcve.org/view.php?id=CVE-2023-32069
09 May 2023 — XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4 • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2023-31126 – Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2023-31126
09 May 2023 — `org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that ... • https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages •
CVSS: 7.8EPSS: 1%CPEs: 3EXPL: 4CVE-2023-29517 – Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-office-viewer
https://notcve.org/view.php?id=CVE-2023-29517
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine (e.g. tomcat) running XWiki. The same vulnerability also allowed to perform internal requests to resources from the hosting server. The problem has been patched in XWiki 13.10.11, 14.10.1... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m3c3-9qj7-7xmx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •