CVSS: 9.9EPSS: 1%CPEs: 1EXPL: 2CVE-2023-29205 – org.xwiki.platform:xwiki-platform-rendering-xwiki vulnerable to stored cross-site scripting via HTML and raw macro
https://notcve.org/view.php?id=CVE-2023-29205
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. The HTML macro does not systematically perform a proper neutralization of script-related html tags. As a result, any user able to use the html macro in XWiki, is able to introduce an XSS attack. This can be particularly dangerous since in a standard wiki, any user is able to use the html macro directly in their own user profile page. The problem has been patched in XWiki 14.8RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vxf7-mx22-jr24 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 2%CPEs: 4EXPL: 2CVE-2023-29202 – org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2023-29202
15 Apr 2023 — XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter `content` was set to `true`. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting (XSS) by specifying an RSS feed with malicious content. With the interaction of a user with programming rights, this could be used to execute arbitrary acti... • https://github.com/xwiki/xwiki-platform/commit/5c7ebe47c2897e92d8f04fe2e15027e84dc3ec03 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 1%CPEs: 5EXPL: 2CVE-2023-27480 – Data leak through a XAR import XXE attack in xwiki-platform-xar-model
https://notcve.org/view.php?id=CVE-2023-27480
07 Mar 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually. • https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 2CVE-2023-26056 – XWiki Platform allows macro execution as any user without programming rights through the context macro
https://notcve.org/view.php?id=CVE-2023-26056
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 3.0-milestone-1, it's possible to execute a script with the right of another user, provided the target user does not have programming right. The problem has been patched in XWiki 14.8-rc-1, 14.4.5, and 13.10.10. There are no known workarounds for this issue. • https://github.com/xwiki/xwiki-platform/commit/4b75f212c2dd2dfc5fb5726c7830c6dbc9a425c6 • CWE-863: Incorrect Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 2CVE-2023-26470 – In XWiki Platform, saving a document with a large object number leads to persistent OOM errors
https://notcve.org/view.php?id=CVE-2023-26470
02 Mar 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has been patched in XWiki 14.0-rc-1. • https://github.com/xwiki/xwiki-platform/commit/04e5a89d2879b160cdfaea846024d3d9c1a525e6 • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 2CVE-2023-26473 – XWiki Platform allows unprivileged users to make arbitrary select queries using DatabaseListProperty and suggest.vm
https://notcve.org/view.php?id=CVE-2023-26473
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 1.3-rc-1, any user with edit right can execute arbitrary database select and access data stored in the database. The problem has been patched in XWiki 13.10.11, 14.4.7, and 14.10. There is no workaround for this vulnerability other than upgrading. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vpx4-7rfp-h545 • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 29%CPEs: 4EXPL: 2CVE-2023-26475 – XWiki Platform vulnerable to Remote Code Execution in Annotations
https://notcve.org/view.php?id=CVE-2023-26475
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 2.3-milestone-1, the annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. There is no easy workaround except to upgrade. • https://github.com/xwiki/xwiki-platform/commit/d87d7bfd8db18c20d3264f98c6deefeae93b99f7 • CWE-269: Improper Privilege Management CWE-270: Privilege Context Switching Error •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 1CVE-2023-26476 – Two XWiki Platform UIs Expose Sensitive Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2023-26476
02 Mar 2023 — XWiki Platform is a generic wiki platform. Starting in version 3.2-m3, users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, or 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`. • https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-41927 – XWiki Platform vulnerable to Cross-Site Request Forgery (CSRF) allowing to delete or rename tags
https://notcve.org/view.php?id=CVE-2022-41927
23 Nov 2022 — XWiki Platform is vulnerable to Cross-Site Request Forgery (CSRF) that may allow attackers to delete or rename tags without needing any confirmation. The problem has been patched in XWiki 13.10.7, 14.4.1 and 14.5RC1. Workarounds: It's possible to patch existing instances directly by editing the page Main.Tags and add this kind of check, in the code for renaming and for deleting: ``` #if (!$services.csrf.isTokenValid($request.get('form_token'))) #set ($discard = $response.sendError(401, "Wrong CSRF token")) ... • https://github.com/xwiki/xwiki-platform/commit/7fd4cda0590180c4d34f557597e9e10e263def9e • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-41932 – Creation of new database tables through login form on PostgreSQL
https://notcve.org/view.php?id=CVE-2022-41932
23 Nov 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database performance. The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4x5r-6v26-7j4v • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •