CWE-95
AllowedImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Abstraction: Variant · Status: Incomplete
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
261 vulnerabilities reference this CWE, most recent first.
GHSA-W3PJ-WH35-FQ8W
Vulnerability from github – Published: 2025-02-05 15:32 – Updated: 2025-02-05 15:32Summary
Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.
Details
The following methods pass XPath expressions to the commons-jxpath library which can execute arbitrary code and would be a security issue if the XPath expressions are provided by user input.
org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get(Object, String, Class<T>)org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.set(Object, String, Object, Class)org.geotools.data.complex.expression.MapPropertyAccessorFactory.new PropertyAccessor() {...}.get(Object, String, Class<T>)org.geotools.xsd.StreamingParser.StreamingParser(Configuration, InputStream, String)
PoC
The following inputs to StreamingParser will delay the response by five seconds:
new org.geotools.xsd.StreamingParser(
new org.geotools.filter.v1_0.OGCConfiguration(),
new java.io.ByteArrayInputStream("<Filter></Filter>".getBytes()),
"java.lang.Thread.sleep(5000)")
.parse();
Impact
This vulnerability can lead to executing arbitrary code.
Mitigation
GeoTools can operate with reduced functionality by removing the gt-complex jar from your application. As an example of the impact application schema datastore would not function without the ability to use XPath expressions to query complex content.
The SourceForge download page lists drop-in-replacement jars for GeoTools: 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.
References
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv https://osgeo-org.atlassian.net/browse/GEOT-7587 https://github.com/geotools/geotools/pull/4797 https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools:gt-app-schema"
},
"ranges": [
{
"events": [
{
"introduced": "30.0"
},
{
"fixed": "30.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools:gt-complex"
},
"ranges": [
{
"events": [
{
"introduced": "30.0"
},
{
"fixed": "30.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools.xsd:gt-xsd-core"
},
"ranges": [
{
"events": [
{
"introduced": "30.0"
},
{
"fixed": "30.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools:gt-app-schema"
},
"ranges": [
{
"events": [
{
"introduced": "31.0"
},
{
"fixed": "31.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools:gt-complex"
},
"ranges": [
{
"events": [
{
"introduced": "31.0"
},
{
"fixed": "31.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools.xsd:gt-xsd-core"
},
"ranges": [
{
"events": [
{
"introduced": "31.0"
},
{
"fixed": "31.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools:gt-app-schema"
},
"ranges": [
{
"events": [
{
"introduced": "29.0"
},
{
"fixed": "29.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools:gt-complex"
},
"ranges": [
{
"events": [
{
"introduced": "29.0"
},
{
"fixed": "29.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools.xsd:gt-xsd-core"
},
"ranges": [
{
"events": [
{
"introduced": "29.0"
},
{
"fixed": "29.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools:gt-app-schema"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "28.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools:gt-complex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "28.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.geotools.xsd:gt-xsd-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "28.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-36404"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-05T15:32:02Z",
"nvd_published_at": "2024-07-02T14:15:13Z",
"severity": "CRITICAL"
},
"details": "### Summary\nRemote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.\n\n### Details\nThe following methods pass XPath expressions to the `commons-jxpath` library which can execute arbitrary code and would be a security issue if the XPath expressions are provided by user input.\n\n* `org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)`\n* `org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)`\n* `org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)`\n* `org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get(Object, String, Class\u003cT\u003e)`\n* `org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.set(Object, String, Object, Class)`\n* `org.geotools.data.complex.expression.MapPropertyAccessorFactory.new PropertyAccessor() {...}.get(Object, String, Class\u003cT\u003e)`\n* `org.geotools.xsd.StreamingParser.StreamingParser(Configuration, InputStream, String)`\n\n### PoC\nThe following inputs to StreamingParser will delay the response by five seconds:\n```\n new org.geotools.xsd.StreamingParser(\n new org.geotools.filter.v1_0.OGCConfiguration(),\n new java.io.ByteArrayInputStream(\"\u003cFilter\u003e\u003c/Filter\u003e\".getBytes()),\n \"java.lang.Thread.sleep(5000)\")\n .parse();\n```\n\n### Impact\n\nThis vulnerability can lead to executing arbitrary code.\n\n### Mitigation\n\nGeoTools can operate with reduced functionality by removing the `gt-complex` jar from your application. As an example of the impact application schema datastore would not function without the ability to use XPath expressions to query complex content.\n\nThe SourceForge download page lists drop-in-replacement jars for GeoTools: [31.1](https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1/), [30.3](https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download), [30.2](https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download), [29.2](https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download), [28.2](https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download), [27.5](https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download), [27.4](https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download), [26.7](https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download), [26.4](https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4/), [25.2](https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download), [24.0](https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download). These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.\n\n### References\nhttps://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv\nhttps://osgeo-org.atlassian.net/browse/GEOT-7587\nhttps://github.com/geotools/geotools/pull/4797\nhttps://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
"id": "GHSA-w3pj-wh35-fq8w",
"modified": "2025-02-05T15:32:03Z",
"published": "2025-02-05T15:32:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36404"
},
{
"type": "WEB",
"url": "https://github.com/geotools/geotools/pull/4797"
},
{
"type": "WEB",
"url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
},
{
"type": "WEB",
"url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
},
{
"type": "WEB",
"url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
},
{
"type": "PACKAGE",
"url": "https://github.com/geotools/geotools"
},
{
"type": "WEB",
"url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions"
}
GHSA-W56X-9778-RPPX
Vulnerability from github – Published: 2026-06-22 20:09 – Updated: 2026-06-22 20:09Summary
The excerpt-include macro does not properly escape the title of the included page and executes the content of the excerpt with the macro's rights. Therefore, it is vulnerable to XWiki syntax injection via the included page's title and content, allowing remote code execution for any user who can edit a page.
Details
The title of the included page isn't escaped in ExcerptInclude.xml#L277. Further, the content of the excerpt macro is rendered to XWiki syntax and output into the macro's content such that it is executed with the macro's rights.
PoC
- As a user without script or programming right, create a page named
Exploit. - In the edit screen, change the title to
{{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}}. - Set the content to
{{excerpt-include 0="Exploit.WebHome"}}{{/excerpt-include}}
{{excerpt}}
{{async}}{{groovy}}println("Hello from Groovy content!"){{/groovy}}{{/async}}
{{/excerpt}}
- Save and view the page.
- If this displays "Hello from Groovy Title!" without the surrounding macro code or "Hello from Groovy content!", the attack succeeded.
Impact
Remote code execution impacts the confidentiality, integrity and availability of the whole XWiki installation.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "com.xwiki.pro:xwiki-pro-macros"
},
"ranges": [
{
"events": [
{
"introduced": "1.13"
},
{
"fixed": "1.14.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44179"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-22T20:09:59Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nThe excerpt-include macro does not properly escape the title of the included page and executes the content of the excerpt with the macro\u0027s rights. Therefore, it is vulnerable to XWiki syntax injection via the included page\u0027s title and content, allowing remote code execution for any user who can edit a page.\n\n### Details\nThe title of the included page isn\u0027t escaped in [ExcerptInclude.xml#L277](https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/ExcerptInclude.xml#L277). Further, the content of the excerpt macro is rendered to XWiki syntax and output into the macro\u0027s content such that it is executed with the macro\u0027s rights.\n\n### PoC\n1. As a user without script or programming right, create a page named `Exploit`.\n2. In the edit screen, change the title to `{{async}}{{groovy}}println(\"Hello from Groovy Title!\"){{/groovy}}{{/async}}`.\n3. Set the content to\n```\n{{excerpt-include 0=\"Exploit.WebHome\"}}{{/excerpt-include}}\n\n{{excerpt}}\n {{async}}{{groovy}}println(\"Hello from Groovy content!\"){{/groovy}}{{/async}}\n{{/excerpt}}\n```\n4. Save and view the page.\n5. If this displays \"Hello from Groovy Title!\" without the surrounding macro code or \"Hello from Groovy content!\", the attack succeeded.\n\n### Impact\nRemote code execution impacts the confidentiality, integrity and availability of the whole XWiki installation.",
"id": "GHSA-w56x-9778-rppx",
"modified": "2026-06-22T20:09:59Z",
"published": "2026-06-22T20:09:59Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-w56x-9778-rppx"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwikisas/xwiki-pro-macros"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro"
}
GHSA-W757-4QV9-MGHP
Vulnerability from github – Published: 2026-01-13 19:01 – Updated: 2026-01-14 21:44Summary
OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval().
Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401).
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "openc3"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.6"
},
{
"fixed": "6.10.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68271"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T19:01:49Z",
"nvd_published_at": "2026-01-13T19:16:14Z",
"severity": "CRITICAL"
},
"details": "### Summary\nOpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval().\n\nBecause the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401).",
"id": "GHSA-w757-4qv9-mghp",
"modified": "2026-01-14T21:44:52Z",
"published": "2026-01-13T19:01:49Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68271"
},
{
"type": "WEB",
"url": "https://github.com/OpenC3/cosmos/commit/01e9fbc5e66e9a2500b71a75a44775dd1fc2d1de"
},
{
"type": "PACKAGE",
"url": "https://github.com/OpenC3/cosmos"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2025-68271.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "openc3-api Vulnerable to Unauthenticated Remote Code Execution"
}
GHSA-W7V9-FC49-4QG4
Vulnerability from github – Published: 2023-04-12 20:35 – Updated: 2023-04-26 20:33Impact
Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter.
A proof of concept exploit is to open /xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where is the URL of your XWiki installation.
Patches
The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
Workarounds
The issue can be fixed manually applying this patch.
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
},
"ranges": [
{
"events": [
{
"introduced": "5.3-milestone-2"
},
{
"fixed": "13.10.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
},
"ranges": [
{
"events": [
{
"introduced": "14.0-rc-1"
},
{
"fixed": "14.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29211"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-12T20:35:30Z",
"nvd_published_at": "2023-04-16T07:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter.\n\nA proof of concept exploit is to open \u003cxwiki-host\u003e/xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where \u003cxwiki-host\u003e is the URL of your XWiki installation.\n\n### Patches\nThe problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.\n\n### Workarounds\nThe issue can be fixed manually applying this [patch](https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64).\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-w7v9-fc49-4qg4",
"modified": "2023-04-26T20:33:26Z",
"published": "2023-04-12T20:35:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29211"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20297"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability"
}
GHSA-WCJW-3V6P-4V3R
Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-09-16 21:57An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mindsdb"
},
"ranges": [
{
"events": [
{
"introduced": "23.10.3.0"
},
{
"fixed": "24.7.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45846"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-12T17:04:00Z",
"nvd_published_at": "2024-09-12T13:15:12Z",
"severity": "HIGH"
},
"details": "An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted \u2018SELECT WHERE\u2019 clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server.",
"id": "GHSA-wcjw-3v6p-4v3r",
"modified": "2024-09-16T21:57:30Z",
"published": "2024-09-12T15:33:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45846"
},
{
"type": "WEB",
"url": "https://github.com/mindsdb/mindsdb/commit/11a4db792ad36cf704f7307c7602128b17752c80"
},
{
"type": "PACKAGE",
"url": "https://github.com/mindsdb/mindsdb"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-77.yaml"
},
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MindsDB Eval Injection vulnerability"
}
GHSA-WF9G-C67G-H4CH
Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-09-16 22:33An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mindsdb"
},
"ranges": [
{
"events": [
{
"introduced": "23.10.5.0"
},
{
"fixed": "24.7.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45851"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-12T17:03:51Z",
"nvd_published_at": "2024-09-12T13:15:14Z",
"severity": "HIGH"
},
"details": "An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an \u2018INSERT\u2019 query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.",
"id": "GHSA-wf9g-c67g-h4ch",
"modified": "2024-09-16T22:33:29Z",
"published": "2024-09-12T15:33:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45851"
},
{
"type": "WEB",
"url": "https://github.com/mindsdb/mindsdb/commit/11a4db792ad36cf704f7307c7602128b17752c80"
},
{
"type": "PACKAGE",
"url": "https://github.com/mindsdb/mindsdb"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-81.yaml"
},
{
"type": "WEB",
"url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MindsDB Eval Injection vulnerability"
}
GHSA-X2QM-R4WX-8GPG
Vulnerability from github – Published: 2023-03-03 22:51 – Updated: 2023-03-03 22:51Impact
It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters form_token=1&action=create.
For instance: http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create will execute the following groovy code: println("hello from groovy!") on the server.
Patches
This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6.
Workarounds
It is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.
References
- https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284
- https://jira.xwiki.org/browse/XWIKI-19757
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.4"
},
{
"fixed": "13.10.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.0"
},
{
"fixed": "14.4.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.5"
},
{
"fixed": "14.9-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-26477"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2023-03-03T22:51:02Z",
"nvd_published_at": "2023-03-02T18:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nIt\u0027s possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters `form_token=1\u0026action=create`.\n\nFor instance: [http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D\u0026form_token=1\u0026action=create](http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?**newThemeName**=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D\u0026form_token=1\u0026action=create) will execute the following groovy code: `println(\"hello from groovy!\")` on the server.\n\n### Patches\nThis has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6.\n\n### Workarounds\nIt is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from [the patch fixing the issue](https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284).\n\n### References\n- https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284\n- https://jira.xwiki.org/browse/XWIKI-19757\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-x2qm-r4wx-8gpg",
"modified": "2023-03-03T22:51:02Z",
"published": "2023-03-03T22:51:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26477"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-19757"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability"
}
GHSA-XM4H-3JXR-M3C6
Vulnerability from github – Published: 2024-04-10 17:13 – Updated: 2024-04-10 22:01Impact
By creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation.
To reproduce, as a user without script nor programming rights, create a document with title {{/html}}{{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}} and content Test Document. Using the search UI, search for "Test Document", then deploy the Location facet on the right of the screen, next to the search results. The installation is vulnerable if you see an item such as:
Hello from Groovy Title!
</a>
<div class="itemCount">1</div>
</li>
</ul>
{{/html}}
Patches
This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1.
Workarounds
Modify the Main.SolrSpaceFacet page following this patch.
References
- https://jira.xwiki.org/browse/XWIKI-21471
- https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb
- https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
},
"ranges": [
{
"events": [
{
"introduced": "7.2-rc-1"
},
{
"fixed": "14.10.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.0-rc-1"
},
{
"fixed": "15.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
},
"ranges": [
{
"events": [
{
"introduced": "15.6-rc-1"
},
{
"fixed": "15.10-rc-1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-31984"
],
"database_specific": {
"cwe_ids": [
"CWE-94",
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-10T17:13:15Z",
"nvd_published_at": "2024-04-10T20:15:08Z",
"severity": "CRITICAL"
},
"details": "### Impact\nBy creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce, as a user without script nor programming rights, create a document with title `{{/html}}{{async}}{{groovy}}println(\"Hello from Groovy Title!\"){{/groovy}}{{/async}}` and content `Test Document`. Using the search UI, search for `\"Test Document\"`, then deploy the `Location` facet on the right of the screen, next to the search results. The installation is vulnerable if you see an item such as:\n```\nHello from Groovy Title!\n\u003c/a\u003e\n\u003cdiv class=\"itemCount\"\u003e1\u003c/div\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n{{/html}}\n```\n\n### Patches\nThis has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1.\n\n### Workarounds\nModify the `Main.SolrSpaceFacet` page following this [patch](https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb#diff-22dd1949ed9019a39f2550f5a953a1a967c30a374dc9eeddb74069bf229b17d5).\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-21471\n* https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb\n* https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5\n",
"id": "GHSA-xm4h-3jxr-m3c6",
"modified": "2024-04-10T22:01:16Z",
"published": "2024-04-10T17:13:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xm4h-3jxr-m3c6"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31984"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/43c9d551e3c11e9d8f176b556dd33bbe31fc66e0"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/5ef9d294d37be92ee22b2549e38663b29dce8767"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/94fc12db87c2431eb1335ecb9c2954b1905bde62"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/commit/ef55105d6eeec5635fd693f0070c5aaaf3bdd940"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-21471"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "XWiki Platform: Remote code execution through space title and Solr space facet"
}
GHSA-XMCG-3P5M-PG58
Vulnerability from github – Published: 2025-10-15 03:30 – Updated: 2025-10-15 03:30The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.
{
"affected": [],
"aliases": [
"CVE-2011-10033"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-15T02:15:31Z",
"severity": "CRITICAL"
},
"details": "The WordPress plugin\u00a0is-human \u003c= v1.4.2 contains\u00a0an eval injection vulnerability in /is-human/engine.php that can be triggered via the \u0027type\u0027 parameter when the \u0027action\u0027 parameter is set to \u0027log-reset\u0027. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.",
"id": "GHSA-xmcg-3p5m-pg58",
"modified": "2025-10-15T03:30:40Z",
"published": "2025-10-15T03:30:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-10033"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20120115212202/http://blog.spiderlabs.com/2012/01/honeypot-alert-is-human-wordpress-plugin-remote-command-execution-attack-detected.html"
},
{
"type": "WEB",
"url": "https://wordpress.org/plugins/is-human"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/17299"
},
{
"type": "WEB",
"url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-alert-more-wordpress-is_human-plugin-remote-command-injection-attack-detected"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/wordpress-plugin-is-human-eval-injection-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XQ52-RV6W-397C
Vulnerability from github – Published: 2020-01-23 02:28 – Updated: 2023-05-16 16:09Impact
If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection.
This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so they pretty much all come before script-src. A previously undefined directive would receive a value even if SecureHeaders::OPT_OUT was supplied.
The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s.
Duplicate script-src directives detected. All but the first instance will be ignored.
See https://www.w3.org/TR/CSP3/#parse-serialized-policy
Note: In this case, the user agent SHOULD notify developers that a duplicate directive was ignored. A console warning might be appropriate, for example.
Patches
Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.
Workarounds
If you are passing user input into the above methods, you could filter out the input:
override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")])
References
Reported in https://github.com/twitter/secure_headers/issues/418 https://www.w3.org/TR/CSP3/#parse-serialized-policy
For more information
If you have any questions or comments about this advisory: * Open an issue in this repo * DM @ndm on twitter
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "secure_headers"
},
"ranges": [
{
"events": [
{
"introduced": "6.0.0"
},
{
"fixed": "6.2.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "secure_headers"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.1.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "secure_headers"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.8.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5217"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2020-01-23T02:12:03Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nIf user-supplied input was passed into `append/override_content_security_policy_directives`, a semicolon could be injected leading to directive injection.\n\nThis could be used to e.g. override a `script-src` directive. Duplicate directives are ignored and the first one wins. The directives in `secure_headers` are sorted alphabetically so they pretty much all come before `script-src`. A previously undefined directive would receive a value even if `SecureHeaders::OPT_OUT` was supplied.\n\nThe fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s.\n\n\u003e Duplicate script-src directives detected. All but the first instance will be ignored.\n\nSee https://www.w3.org/TR/CSP3/#parse-serialized-policy\n\n\u003e Note: In this case, the user agent SHOULD notify developers that a duplicate directive was ignored. A console warning might be appropriate, for example.\n\n### Patches\n\nDepending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0.\n\n### Workarounds\n\nIf you are passing user input into the above methods, you could filter out the input:\n\n```ruby\noverride_content_security_policy_directives(:frame_src, [user_input.gsub(\";\", \" \")])\n```\n\n### References\n\nReported in https://github.com/twitter/secure_headers/issues/418\nhttps://www.w3.org/TR/CSP3/#parse-serialized-policy\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [this repo](https://github.com/twitter/secure_headers/issues/new)\n* DM @ndm on twitter ",
"id": "GHSA-xq52-rv6w-397c",
"modified": "2023-05-16T16:09:56Z",
"published": "2020-01-23T02:28:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5217"
},
{
"type": "WEB",
"url": "https://github.com/twitter/secure_headers/issues/418"
},
{
"type": "WEB",
"url": "https://github.com/twitter/secure_headers/pull/421"
},
{
"type": "WEB",
"url": "https://github.com/twitter/secure_headers/commit/936a160e3e9659737a9f9eafce13eea36b5c9fa3"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/secure_headers/CVE-2020-5217.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/twitter/secure_headers"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Directive injection when using dynamic overrides with user input"
}
Mitigation
Strategy: Refactoring
If possible, refactor your code so that it does not need to use eval() at all.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
- Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
- Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].
CAPEC-35: Leverage Executable Code in Non-Executable Files
An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.