CVE-2023-26055 – XWiki Commons may allow privilege escalation to programming rights via user's first name
https://notcve.org/view.php?id=CVE-2023-26055
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1. • https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h https://jira.xwiki.org/browse/XCOMMONS-2498 https://jira.xwiki.org/browse/XWIKI-19793 https://jira.xwiki.org/browse/XWIKI-19794 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVE-2022-24898 – Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml
https://notcve.org/view.php?id=CVE-2022-24898
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights. org.xwiki.commons:xwiki-commons-xml es un módulo común usado por otros proyectos de primer nivel de XWiki. A partir de la versión 2.7 y versiones anteriores a 12.10.10, 13.4.4 y 13.8-rc-1, es posible que un script acceda a cualquier archivo que acceda al usuario que ejecuta el servidor de aplicaciones XWiki con XML External Entity Injection mediante el servicio de script XML. • https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5 https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5 https://jira.xwiki.org/browse/XWIKI-18946 • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2013-1907
https://notcve.org/view.php?id=CVE-2013-1907
The Commons Group module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors. El módulo Commons Group anterior a 7.x-3.1 para Drupal utilizado en el módulo Commons anterior a 7.x-3.1, no restringe adecuadamente el acceso a los grupos, lo que permite a atacantes remotos la publicación de contenido arbitrario a través de vectores no especificados. • http://osvdb.org/91748 http://packetstormsecurity.com/files/120991/Drupal-Common-Groups-7.x-Access-Bypass-Privilege-Escalation.html http://seclists.org/fulldisclosure/2013/Mar/242 http://secunia.com/advisories/52769 http://secunia.com/advisories/52795 https://drupal.org/node/1954762 https://drupal.org/node/1954764 https://drupal.org/node/1954948 https://exchange.xforce.ibmcloud.com/vulnerabilities/83133 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2013-1908
https://notcve.org/view.php?id=CVE-2013-1908
The Commons Wikis module before 7.x-3.1 for Drupal, as used in the Commons module before 7.x-3.1, does not properly restrict access to groups, which allows remote attackers to post arbitrary content to groups via unspecified vectors. El módulo Commons Wikis anterior a v7.x-3.1 para Drupal, como se utiliza en el módulo Commons anterior a v7.x-3.1, no restringe correctamente el acceso a grupos, lo que permite a ataques remotos poner contenido arbitrario a grupos mediante vectores no especificados. • http://osvdb.org/91747 http://packetstormsecurity.com/files/120995/Drupal-Common-Wikis-7.x-Access-Bypass-Privilege-Escalation.html http://seclists.org/fulldisclosure/2013/Mar/244 http://secunia.com/advisories/52766 http://secunia.com/advisories/52795 https://drupal.org/node/1954766 https://drupal.org/node/1954768 https://drupal.org/node/1954948 • CWE-264: Permissions, Privileges, and Access Controls •