CVSS: 9.9EPSS: 3%CPEs: 2EXPL: 0CVE-2023-32069 – XWiki Platform privilege escalation (PR)/RCE from account through class sheet
https://notcve.org/view.php?id=CVE-2023-32069
09 May 2023 — XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 1%CPEs: 3EXPL: 4CVE-2023-29517 – Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-office-viewer
https://notcve.org/view.php?id=CVE-2023-29517
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine (e.g. tomcat) running XWiki. The same vulnerability also allowed to perform internal requests to resources from the hosting server. The problem has been patched in XWiki 13.10.11, 14.10.1... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m3c3-9qj7-7xmx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 20%CPEs: 3EXPL: 2CVE-2023-29516 – Code injection from view right on XWiki.AttachmentSelector in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29516
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. • https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.7EPSS: 1%CPEs: 3EXPL: 2CVE-2023-29515 – Cross-site scripting (XSS) in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29515
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes. If the button should be disabled because the user doesn't have global edit right, the app can also be created by directly opening `/xwiki/bin/view/AppWithinMinu... • https://github.com/xwiki/xwiki-platform/commit/e73b890623efa604adc484ad82f37e31596fe1a6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 3%CPEs: 3EXPL: 2CVE-2023-29514 – Code injection in template provider administration in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29514
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/xwiki/xwiki-platform/commit/7bf7094f8ffac095f5d66809af7554c9cc44de09 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 3CVE-2023-29513 – Users can be created even when registration is disabled without validation via the template macro in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29513
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the `distribution/firstadminuser.wiki` in the wrong context. This vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.1. There is no known workaround other than upgrading. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp36-mjw5-fmgx • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 2%CPEs: 3EXPL: 2CVE-2023-29512 – Code injection in xwiki-platform-web-templates
https://notcve.org/view.php?id=CVE-2023-29512
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in `imported.vm`, `importinline.vm`, and `packagelist.vm`. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 1... • https://github.com/xwiki/xwiki-platform/commit/e4bbdc23fea0be4ef1921d1a58648028ce753344 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.9EPSS: 3%CPEs: 1EXPL: 2CVE-2023-29510 – Code injection via unescaped translations in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29510
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default. A mitigation for t... • https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.9EPSS: 2%CPEs: 2EXPL: 2CVE-2023-29522 – Code injection from view right on XWiki.ClassSheet in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29522
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. This issue has been patched in XWiki 14.4.8, 14.10.3 and 15.0RC1. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/d7e56185376641ee5d66477c6b2791ca8e85cfee • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 1%CPEs: 3EXPL: 2CVE-2023-29521 – Code injection from account/view through VFS Tree macro in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29521
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Macro.VFSTreeMacro`. This page is not installed by default.This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •