CVE-2023-29208 – Data leak through deleted documents
https://notcve.org/view.php?id=CVE-2023-29208
XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view rights provided on a space of a deleted document are properly checked. The problem has been patched in XWiki 14.10 by checking the rights of current user: only admin and deleter of the document are allowed to view it. • https://github.com/xwiki/xwiki-platform/commit/d9e947559077e947315bf700c5703dfc7dd8a8d7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8g-fq6x-jqrr https://jira.xwiki.org/browse/XWIKI-16285 • CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2023-29205 – org.xwiki.platform:xwiki-platform-rendering-xwiki vulnerable to stored cross-site scripting via HTML and raw macro
https://notcve.org/view.php?id=CVE-2023-29205
XWiki Commons are technical libraries common to several other top level XWiki projects. The HTML macro does not systematically perform a proper neutralization of script-related html tags. As a result, any user able to use the html macro in XWiki, is able to introduce an XSS attack. This can be particularly dangerous since in a standard wiki, any user is able to use the html macro directly in their own user profile page. The problem has been patched in XWiki 14.8RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vxf7-mx22-jr24 https://jira.xwiki.org/browse/XWIKI-18568 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-29202 – org.xwiki.platform:xwiki-platform-rendering-macro-rss Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2023-29202
XWiki Commons are technical libraries common to several other top level XWiki projects. The RSS macro that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter `content` was set to `true`. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting (XSS) by specifying an RSS feed with malicious content. With the interaction of a user with programming rights, this could be used to execute arbitrary actions in the wiki, including privilege escalation, remote code execution, information disclosure, modifying or deleting content and sabotaging the wiki. The issue has been patched in XWiki 14.6 RC1, the content of the feed is now properly cleaned before being displayed. • https://github.com/xwiki/xwiki-platform/commit/5c7ebe47c2897e92d8f04fe2e15027e84dc3ec03 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c885-89fw-55qr https://jira.xwiki.org/browse/XWIKI-19671 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2023-27480 – Data leak through a XAR import XXE attack in xwiki-platform-xar-model
https://notcve.org/view.php?id=CVE-2023-27480
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch `e3527b98fd` manually. • https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx4f-976g-7g6v https://jira.xwiki.org/browse/XWIKI-20320 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2023-26470 – In XWiki Platform, saving a document with a large object number leads to persistent OOM errors
https://notcve.org/view.php?id=CVE-2023-26470
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and make it unusable every time this document is manipulated. This issue has been patched in XWiki 14.0-rc-1. • https://github.com/xwiki/xwiki-platform/commit/04e5a89d2879b160cdfaea846024d3d9c1a525e6 https://github.com/xwiki/xwiki-platform/commit/db3d1c62fc5fb59fefcda3b86065d2d362f55164 https://github.com/xwiki/xwiki-platform/commit/fdfce062642b0ac062da5cda033d25482f4600fa https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-92wp-r7hm-42g7 https://jira.xwiki.org/browse/XWIKI-19223 • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •