CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 2CVE-2023-36471 – HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2023-36471
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}<input type="hidden" name="content" value="{{groovy}}println("Hello from Groovy!")" />{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. • https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v https://jira.xwiki.org/browse/XCOMMONS-2634 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 1CVE-2023-29528 – Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2023-29528
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. • https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h https://jira.xwiki.org/browse/XCOMMONS-2568 https://jira.xwiki.org/browse/XWIKI-20348 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 7EXPL: 3CVE-2023-26055 – XWiki Commons may allow privilege escalation to programming rights via user's first name
https://notcve.org/view.php?id=CVE-2023-26055
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1. • https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h https://jira.xwiki.org/browse/XCOMMONS-2498 https://jira.xwiki.org/browse/XWIKI-19793 https://jira.xwiki.org/browse/XWIKI-19794 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2013-1907
https://notcve.org/view.php?id=CVE-2013-1907
The Commons Group module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors. El módulo Commons Group anterior a 7.x-3.1 para Drupal utilizado en el módulo Commons anterior a 7.x-3.1, no restringe adecuadamente el acceso a los grupos, lo que permite a atacantes remotos la publicación de contenido arbitrario a través de vectores no especificados. • http://osvdb.org/91748 http://packetstormsecurity.com/files/120991/Drupal-Common-Groups-7.x-Access-Bypass-Privilege-Escalation.html http://seclists.org/fulldisclosure/2013/Mar/242 http://secunia.com/advisories/52769 http://secunia.com/advisories/52795 https://drupal.org/node/1954762 https://drupal.org/node/1954764 https://drupal.org/node/1954948 https://exchange.xforce.ibmcloud.com/vulnerabilities/83133 • CWE-264: Permissions, Privileges, and Access Controls •