CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 1CVE-2023-34465 – XWiki Platform's Mail.MailConfig can be edited by any user with edit rights
https://notcve.org/view.php?id=CVE-2023-34465
23 Jun 2023 — XWiki Platform is a generic wiki platform. Starting in version 11.8-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.2, `Mail.MailConfig` can be edited by any logged-in user by default. Consequently, they can change the mail obfuscation configuration and view and edit the mail sending configuration, including the smtp domain name and credentials. The problem has been patched in XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, the rights of the `Mail.MailConfig` page can be manually updated so that only a... • https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1 • CWE-269: Improper Privilege Management •
CVSS: 9.0EPSS: 1%CPEs: 3EXPL: 2CVE-2023-34464 – XWiki vulnerable to stored cross-site scripting via any wiki document and the displaycontent/rendercontent template
https://notcve.org/view.php?id=CVE-2023-34464
23 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-site scripting attack. The attack occurs by putting plain HTML code into that document and then tr... • https://github.com/xwiki/xwiki-platform/commit/53e8292a31ec70fba5e1d705a4ac443658b9e6df • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 30%CPEs: 1EXPL: 1CVE-2023-35166 – Privilege escalation (PR) from account through TipsPanel
https://notcve.org/view.php?id=CVE-2023-35166
20 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5. • https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c28b3263#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 47%CPEs: 2EXPL: 0CVE-2023-32068 – URL Redirection to Untrusted Site in XWiki
https://notcve.org/view.php?id=CVE-2023-32068
15 May 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 14.10.4 it's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in the past for XWiki 12.10.7 and 13.3RC1 but there is still the possibility to force specific URLs to skip some checks, e.g. using URLs like `http:example.com` in the parameter would allow the redirect. The issue has now been patched a... • https://github.com/xwiki/xwiki-platform/commit/e4f7f68e93cb08c25632c126356d218abf192d1e • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.0EPSS: 47%CPEs: 3EXPL: 0CVE-2023-32071 – XWiki Platform vulnerable to RXSS via editor parameter - importinline template
https://notcve.org/view.php?id=CVE-2023-32071
09 May 2023 — XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki targeting a page which contains an attachment. This has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. The easiest possible workaround is to edit file `
CVSS: 9.9EPSS: 3%CPEs: 2EXPL: 0CVE-2023-32069 – XWiki Platform privilege escalation (PR)/RCE from account through class sheet
https://notcve.org/view.php?id=CVE-2023-32069
09 May 2023 — XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds. • https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4 • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 0CVE-2023-31126 – Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2023-31126
09 May 2023 — `org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that ... • https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages •
CVSS: 7.8EPSS: 1%CPEs: 3EXPL: 4CVE-2023-29517 – Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-office-viewer
https://notcve.org/view.php?id=CVE-2023-29517
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine (e.g. tomcat) running XWiki. The same vulnerability also allowed to perform internal requests to resources from the hosting server. The problem has been patched in XWiki 13.10.11, 14.10.1... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m3c3-9qj7-7xmx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.9EPSS: 20%CPEs: 3EXPL: 2CVE-2023-29516 – Code injection from view right on XWiki.AttachmentSelector in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29516
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. • https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.7EPSS: 1%CPEs: 3EXPL: 2CVE-2023-29515 – Cross-site scripting (XSS) in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29515
18 Apr 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes. If the button should be disabled because the user doesn't have global edit right, the app can also be created by directly opening `/xwiki/bin/view/AppWithinMinu... • https://github.com/xwiki/xwiki-platform/commit/e73b890623efa604adc484ad82f37e31596fe1a6 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •