CVSS: 7.7EPSS: 0%CPEs: 3EXPL: 2CVE-2023-29515 – Cross-site scripting (XSS) in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29515
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes. If the button should be disabled because the user doesn't have global edit right, the app can also be created by directly opening `/xwiki/bin/view/AppWithinMinutes/CreateApplication? • https://github.com/xwiki/xwiki-platform/commit/e73b890623efa604adc484ad82f37e31596fe1a6 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-44h9-xxvx-pg6x https://jira.xwiki.org/browse/XWIKI-20190 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-29514 – Code injection in template provider administration in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29514
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/xwiki/xwiki-platform/commit/7bf7094f8ffac095f5d66809af7554c9cc44de09 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9j36-3cp4-rh4j https://jira.xwiki.org/browse/XWIKI-20268 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 3CVE-2023-29513 – Users can be created even when registration is disabled without validation via the template macro in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29513
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the `distribution/firstadminuser.wiki` in the wrong context. This vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.1. There is no known workaround other than upgrading. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp36-mjw5-fmgx https://jira.xwiki.org/browse/XWIKI-19852 https://jira.xwiki.org/browse/XWIKI-20400 • CWE-284: Improper Access Control •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 2CVE-2023-29512 – Code injection in xwiki-platform-web-templates
https://notcve.org/view.php?id=CVE-2023-29512
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in `imported.vm`, `importinline.vm`, and `packagelist.vm`. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. • https://github.com/xwiki/xwiki-platform/commit/e4bbdc23fea0be4ef1921d1a58648028ce753344 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hg5x-3w3x-7g96 https://jira.xwiki.org/browse/XWIKI-20267 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 2CVE-2023-29510 – Code injection via unescaped translations in xwiki-platform
https://notcve.org/view.php?id=CVE-2023-29510
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default. A mitigation for this vulnerability is part of XWiki 14.10.2 and XWiki 15.0 RC1: translations with user scope now require script right. • https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw https://jira.xwiki.org/browse/XWIKI-19749 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •