CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2024-31996 – XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution
https://notcve.org/view.php?id=CVE-2024-31996
XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. • https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5 https://jira.xwiki.org/browse/XCOMMONS-2828 https://jira.xwiki.org/browse/XWIKI-21438 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 2CVE-2023-36471 – HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2023-36471
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}<input type="hidden" name="content" value="{{groovy}}println("Hello from Groovy!")" />{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. • https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v https://jira.xwiki.org/browse/XCOMMONS-2634 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 1CVE-2023-29528 – Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2023-29528
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. • https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h https://jira.xwiki.org/browse/XCOMMONS-2568 https://jira.xwiki.org/browse/XWIKI-20348 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 7EXPL: 3CVE-2023-26055 – XWiki Commons may allow privilege escalation to programming rights via user's first name
https://notcve.org/view.php?id=CVE-2023-26055
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1. • https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h https://jira.xwiki.org/browse/XCOMMONS-2498 https://jira.xwiki.org/browse/XWIKI-19793 https://jira.xwiki.org/browse/XWIKI-19794 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 4.9EPSS: 0%CPEs: 3EXPL: 1CVE-2022-24898 – Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2022-24898
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. org.xwiki.commons:xwiki-commons-xml es un módulo común usado por otros proyectos de primer nivel de XWiki. A partir de la versión 2.7 y versiones anteriores a 12.10.10, 13.4.4 y 13.8-rc-1, es posible que un script acceda a cualquier archivo que acceda al usuario que ejecuta el servidor de aplicaciones XWiki con XML External Entity Injection mediante el servicio de script XML. • https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5 https://jira.xwiki.org/browse/XWIKI-18946 • CWE-611: Improper Restriction of XML External Entity Reference •