CVE-2021-43841

XSS by SVG upload in xwiki-platform

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that the default configuration doesn't allow to display the SVG files in the browser. Users are advised to update or to disallow uploads of SVG files.

XWiki es una plataforma wiki genérica que ofrece servicios de tiempo de ejecución para aplicaciones construidas sobre ella. Cuando es usada la configuración predeterminada de XWiki, es posible que un atacante cargue un SVG que contenga un script ejecutado cuando es ejecutada la acción de descarga en el archivo. Este problema ha sido parcheado para que la configuración por defecto no permita mostrar los archivos SVG en el navegador. Se aconseja a usuarios que actualicen o desestimen la carga de archivos SVG

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2022-02-04 CVE Published
2023-08-28 EPSS Updated
2024-08-04 CVE Updated
2024-08-04 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (4)

URL	Tag	Source
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9jq9-c2cv-pcrj	Third Party Advisory

URL	Date	SRC
https://jira.xwiki.org/browse/XWIKI-18368	2024-08-04

URL	Date	SRC
https://github.com/xwiki/xwiki-platform/commit/5853d492b3a274db0d94d560e2a5ea988a271c62	2022-02-10

URL	Date	SRC
https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HAttachmentdisplayordownload	2022-02-10

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 1.0 < 12.10.6 Search vendor "Xwiki" for product "Xwiki" and version " >= 1.0 < 12.10.6"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				>= 13.0 <= 13.2 Search vendor "Xwiki" for product "Xwiki" and version " >= 13.0 <= 13.2"		-		Affected