CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-45591 – XWiki Platform document history including authors of any page exposed to unauthorized actors
https://notcve.org/view.php?id=CVE-2024-45591
XWiki Platform is a generic wiki platform. The REST API exposes the history of any page in XWiki of which the attacker knows the name. The exposed information includes for each modification of the page the time of the modification, the version number, the author of the modification (both username and displayed name) and the version comment. This information is exposed regardless of the rights setup, and even when the wiki is configured to be fully private. On a private wiki, this can be tested by accessing /xwiki/rest/wikis/xwiki/spaces/Main/pages/WebHome/history, if this shows the history of the main page then the installation is vulnerable. • https://github.com/xwiki/xwiki-platform/commit/26482ee5d29fc21f31134d1ee13db48716e89e0f https://github.com/xwiki/xwiki-platform/commit/9cbca9808300797c67779bb9a665d85cf9e3d4b8 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pvmm-55r5-g3mm https://jira.xwiki.org/browse/XWIKI-22052 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-43400 – XWiki Platform allows XSS through XClass name in string properties
https://notcve.org/view.php?id=CVE-2024-43400
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. • https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v https://jira.xwiki.org/browse/XWIKI-21810 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41947 – XWiki Platform XSS through conflict resolution
https://notcve.org/view.php?id=CVE-2024-41947
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-692v-783f-mg8x https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f https://github.com/xwiki/xwiki-platform/commit/e00e159d3737397eebd1f6ff925c1f5cb7cdec34 https://jira.xwiki.org/browse/XWIKI-21626 • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37900 – XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
https://notcve.org/view.php?id=CVE-2024-37900
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28 https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949 https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f https://jira.xwiki.org/browse/XWIKI-19602 https://jira.xwiki.org/browse/XWIKI-19611 https://jira.xwiki.org/browse& • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-37899 – Disabling a user account changes its author, allowing RCE from user account in XWiki
https://notcve.org/view.php?id=CVE-2024-37899
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. • https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93 https://jira.xwiki.org/browse/XWIKI-21611 • CWE-94: Improper Control of Generation of Code ('Code Injection') •