CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-37914 – Privilege escalation (PR)/RCE from account through Invitation subject/message
https://notcve.org/view.php?id=CVE-2023-37914
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can view `Invitation.WebHome` can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This vulnerability has been patched on XWiki 14.4.8, 15.2-rc-1, and 14.10.6. Users are advised to upgrade. Users unable to upgrade may manually apply the patch on `Invitation.InvitationCommon` and `Invitation.InvitationConfig`, but there are otherwise no known workarounds for this vulnerability. • https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf https://jira.xwiki.org/browse/XWIKI-20421 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 2EXPL: 0CVE-2023-37277 – XWiki Platform vulnerable to cross-site request forgery (CSRF) via the REST API
https://notcve.org/view.php?id=CVE-2023-37277
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery. With the interaction of a user with programming rights, this allows remote code execution through script macros and thus impacts the integrity, availability and confidentiality of the whole XWiki installation. For regular cookie-based authentication, the vulnerability is mitigated by SameSite cookie restrictions but as of March 2023, these are not enabled by default in Firefox and Safari. The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a CSRF token header for certain request types that are susceptible to CSRF attacks. • https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6 https://jira.xwiki.org/browse/XWIKI-20135 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 3CVE-2023-36477 – Persistent Cross-site Scripting (XSS) through CKEditor Configuration pages in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-36477
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents, leading to loss of service and editing the javascript configuration of CKEditor, leading to persistent XSS. This issue has been patched in XWiki 14.10.6 and XWiki 15.1. This issue has been patched on the CKEditor Integration extension 1.64.9 for XWiki version older than 14.6RC1. • https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-793w-g325-hrw2 https://jira.xwiki.org/browse/CKEDITOR-508 https://jira.xwiki.org/browse/XWIKI-20590 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 5EXPL: 3CVE-2023-36468 – Upgrading doesn't prevent exploiting vulnerable XWiki documents
https://notcve.org/view.php?id=CVE-2023-36468
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version. The severity of this depends on the fixed vulnerability, for the purpose of this advisory take CVE-2022-36100/GHSA-2g5c-228j-p52x as example - it is easily exploitable with just view rights and critical. When XWiki is upgraded from a version before the fix for it (e.g., 14.3) to a version including the fix (e.g., 14.4), the vulnerability can still be reproduced by adding `rev=1.1` to the URL used in the reproduction steps so remote code execution is possible even after upgrading. • https://github.com/xwiki/xwiki-platform/commit/15a6f845d8206b0ae97f37aa092ca43d4f9d6e59 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8q9q-r9v2-644m https://jira.xwiki.org/browse/XWIKI-20594 • CWE-459: Incomplete Cleanup •
CVSS: 9.9EPSS: 1%CPEs: 5EXPL: 2CVE-2023-36469 – Code injection through NotificationRSSService in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-36469
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.6 and 15.2RC1. Users are advised to update. As a workaround the main security fix can be manually applied by patching the affected document `XWiki.Notifications.Code.NotificationRSSService`. • https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c#diff-7221a548809fa2ba34348556f4b5bd436463c559ebdf691197932ee7ce4478ca https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c#diff-b261c6eac3108c3e6e734054c28a78f59d3439ab72fe8582dadf87670a0d15a4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-94pf-92hw-2hjc https://jira.xwiki.org/browse/XWIKI-20610 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •