CVE-2023-38509 – XWiki Platform's obfuscated email addresses should not be sorted
https://notcve.org/view.php?id=CVE-2023-38509
XWiki Platform is a generic wiki platform. In org.xwiki.platform:xwiki-platform-livetable-ui starting with version 3.5-milestone-1 and prior to versions 14.10.9 and 15.3-rc-1, the mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. This has been patched in XWiki 14.10.9 and XWiki 15.3-rc-1. A workaround is to modify the page `XWiki.LiveTableResultsMacros` following the patch. XWiki Platform es una plataforma wiki genérica. • https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0 https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9w4-prf3-m25g https://jira.xwiki.org/browse/XWIKI-20601 • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVE-2023-37462 – Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in org.xwiki.platform:xwiki-platform-skin-ui
https://notcve.org/view.php?id=CVE-2023-37462
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable. See the linked GHSA for instructions on testing an installation. • https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjg https://jira.xwiki.org/browse/XWIKI-20457 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVE-2023-37277 – XWiki Platform vulnerable to cross-site request forgery (CSRF) via the REST API
https://notcve.org/view.php?id=CVE-2023-37277
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery. With the interaction of a user with programming rights, this allows remote code execution through script macros and thus impacts the integrity, availability and confidentiality of the whole XWiki installation. For regular cookie-based authentication, the vulnerability is mitigated by SameSite cookie restrictions but as of March 2023, these are not enabled by default in Firefox and Safari. The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a CSRF token header for certain request types that are susceptible to CSRF attacks. • https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6 https://jira.xwiki.org/browse/XWIKI-20135 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-36468 – Upgrading doesn't prevent exploiting vulnerable XWiki documents
https://notcve.org/view.php?id=CVE-2023-36468
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possible to exploit the vulnerability that was fixed in the new version. The severity of this depends on the fixed vulnerability, for the purpose of this advisory take CVE-2022-36100/GHSA-2g5c-228j-p52x as example - it is easily exploitable with just view rights and critical. When XWiki is upgraded from a version before the fix for it (e.g., 14.3) to a version including the fix (e.g., 14.4), the vulnerability can still be reproduced by adding `rev=1.1` to the URL used in the reproduction steps so remote code execution is possible even after upgrading. • https://github.com/xwiki/xwiki-platform/commit/15a6f845d8206b0ae97f37aa092ca43d4f9d6e59 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8q9q-r9v2-644m https://jira.xwiki.org/browse/XWIKI-20594 • CWE-459: Incomplete Cleanup •
CVE-2023-36470 – Code injection in icon themes of XWiki Platform
https://notcve.org/view.php?id=CVE-2023-36470
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By either creating a new or editing an existing document with an icon set, an attacker can inject XWiki syntax and Velocity code that is executed with programming rights and thus allows remote code execution. There are different attack vectors, the simplest is the Velocity code in the icon set's HTML or XWiki syntax definition. The [icon picker](https://extensions.xwiki.org/xwiki/bin/view/Extension/Icon%20Theme%20Application#HIconPicker) can be used to trigger the rendering of any icon set. The XWiki syntax variant of the icon set is also used without any escaping in some documents, allowing to inject XWiki syntax including script macros into a document that might have programming right, for this the currently used icon theme needs to be edited. • https://github.com/xwiki/xwiki-platform/commit/46b542854978e9caa687a5c2b8817b8b17877d94 https://github.com/xwiki/xwiki-platform/commit/79418dd92ca11941b46987ef881bf50424898ff4 https://github.com/xwiki/xwiki-platform/commit/b0cdfd893912baaa053d106a92e39fa1858843c7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fm68-j7ww-h9xf https://jira.xwiki.org/browse/XWIKI-20524 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •