CVSS: 9.0EPSS: 61%CPEs: 3EXPL: 0CVE-2022-36096 – XWiki Platform vulnerable to Cross-site Scripting in the deleted attachments list
https://notcve.org/view.php?id=CVE-2022-36096
08 Sep 2022 — The XWiki Platform Index UI is an Index of all pages, attachments, orphans and deleted pages and attachments for XWiki Platform, a generic wiki platform. Prior to versions 13.10.6 and 14.3, it's possible to store JavaScript which will be executed by anyone viewing the deleted attachments index with an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3. As a workaround, modify fix the vulnerability by editing the wiki page `XWiki.DeletedAttachments` with the o... • https://github.com/xwiki/xwiki-platform/commit/6705b0cd0289d1c90ed354bd4ecc1508c4b25745 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2022-36095 – XWiki Cross-Site Request Forgery (CSRF) for actions on tags
https://notcve.org/view.php?id=CVE-2022-36095
08 Sep 2022 — XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the `documentTags.vm` template in one's filesystem, to apply the changes exposed there. XWiki Platform es una plataforma wiki genérica. • https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 56%CPEs: 2EXPL: 1CVE-2022-36094 – XWiki Platform Web Parent POM vulnerable to XSS in the attachment history
https://notcve.org/view.php?id=CVE-2022-36094
08 Sep 2022 — XWiki Platform Web Parent POM contains Web resources for the XWiki platform, a generic wiki platform. Starting with version 1.0 and prior to versions 13.10.6 and 14.30-rc-1, it's possible to store JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name. This issue has been patched in XWiki 13.10.6 and 14.3RC1. As a workaround, it is possible to replace `viewattachrev.vm`, the entry point for this attack, by a patched version from the patch without u... • https://github.com/xwiki/xwiki-platform/commit/047ce9fa4a7c13f3883438aaf54fc50f287a7e8e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36092 – XWiki Platform Old Core vulnerable to Authentication Bypass Using the Login Action
https://notcve.org/view.php?id=CVE-2022-36092
08 Sep 2022 — XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified templates. This exposes title, content and comments of any document and properties of objects, though class and property name must be known. This is also exploitable on private wikis. This has been patched in versions 14.2 and 13.10.4 by pr... • https://github.com/xwiki/xwiki-platform/commit/71a6d0bb6f8ab718fcfaae0e9b8c16c2d69cd4bb • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-36091 – XWiki Platform Web Templates vulnerable to Missing Authorization and Exposure of Private Personal Information to an Unauthorized Actor
https://notcve.org/view.php?id=CVE-2022-36091
08 Sep 2022 — XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP or SMTP servers could be accessed. By e... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-599v-w48h-rjrm • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36090 – org.xwiki.platform:xwiki-platform-oldcore Improper Authorization check for inactive users
https://notcve.org/view.php?id=CVE-2022-36090
08 Sep 2022 — XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user can enable themselves using a REST call. On the same way some resources handler created by extensions are not protected by default, so an inactive user could perform actions for such extensions. This issue has existed since at least... • https://github.com/xwiki/xwiki-platform/commit/e074d226d9b2b96a0a1ba4349d1b73a802842986 • CWE-285: Improper Authorization •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-29161 – Crypto script service uses hashing algorithm SHA1 with RSA for certificate signature in xwiki-platform
https://notcve.org/view.php?id=CVE-2022-29161
05 May 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. Administrators are advise... • https://github.com/xwiki/xwiki-platform/commit/26728f3f23658288683667a5182a916c7ecefc52 • CWE-326: Inadequate Encryption Strength CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 1CVE-2022-24897 – Arbitrary filesystem write access from Velocity
https://notcve.org/view.php?id=CVE-2022-24897
02 May 2022 — APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.... • https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2022-24820 – Unauthenticated user can list hidden document from multiple velocity templates
https://notcve.org/view.php?id=CVE-2022-24820
08 Apr 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents by rendering some velocity documents. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de tiempo de ejecución para aplicaciones construidas sobre ella. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qpp2-2mcp-2wm5 • CWE-306: Missing Authentication for Critical Function CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 5.3EPSS: 10%CPEs: 3EXPL: 1CVE-2022-24819 – Unauthenticated user can retrieve the list of users through uorgsuggest.vm
https://notcve.org/view.php?id=CVE-2022-24819
08 Apr 2022 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem. La plataforma XWiki es una plataforma wiki genérica que ofrece servicios de ejecución para las aplicaciones construidas sobre ella. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •