All the vulnerabilites related to xwiki - xwiki-commons
cve-2022-24897
Vulnerability from cvelistv5
Published
2022-05-02 21:49
Modified
2024-08-03 04:29
Severity ?
EPSS score ?
Summary
APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc | x_refsource_CONFIRM | |
| https://github.com/xwiki/xwiki-commons/pull/127 | x_refsource_MISC | |
| https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XWIKI-5168 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | xwiki | xwiki-commons |
Version: >= 2.3, < 12.6.7 Version: 12.7-rc-1, < 12.10.3 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.638Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/pull/127"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-5168"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.3, \u003c 12.6.7"
},
{
"status": "affected",
"version": "12.7-rc-1, \u003c 12.10.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-02T21:49:17",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/pull/127"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-5168"
}
],
"source": {
"advisory": "GHSA-cvx5-m8vg-vxgc",
"discovery": "UNKNOWN"
},
"title": "Arbitrary filesystem write access from Velocity",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24897",
"STATE": "PUBLIC",
"TITLE": "Arbitrary filesystem write access from Velocity"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xwiki-commons",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.3, \u003c 12.6.7"
},
{
"version_value": "12.7-rc-1, \u003c 12.10.3"
}
]
}
}
]
},
"vendor_name": "xwiki"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc",
"refsource": "CONFIRM",
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-cvx5-m8vg-vxgc"
},
{
"name": "https://github.com/xwiki/xwiki-commons/pull/127",
"refsource": "MISC",
"url": "https://github.com/xwiki/xwiki-commons/pull/127"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8",
"refsource": "MISC",
"url": "https://github.com/xwiki/xwiki-commons/commit/215951cfb0f808d0bf5b1097c9e7d1e503449ab8"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-5168",
"refsource": "MISC",
"url": "https://jira.xwiki.org/browse/XWIKI-5168"
}
]
},
"source": {
"advisory": "GHSA-cvx5-m8vg-vxgc",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24897",
"datePublished": "2022-05-02T21:49:17",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:00.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-26055
Vulnerability from cvelistv5
Published
2023-03-02 18:48
Modified
2024-08-02 11:39
Severity ?
EPSS score ?
Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h | x_refsource_CONFIRM | |
| https://jira.xwiki.org/browse/XCOMMONS-2498 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XWIKI-19793 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XWIKI-19794 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | xwiki | xwiki-commons |
Version: >= 3.1-milestone-1, < 13.10.9 Version: >= 14.0-rc-1, < 14.4.4 Version: >= 14.5, < 14.7-rc-1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2498",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2498"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19793",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19793"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19794",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19794"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1-milestone-1, \u003c 13.10.9"
},
{
"status": "affected",
"version": "\u003e= 14.0-rc-1, \u003c 14.4.4"
},
{
"status": "affected",
"version": "\u003e= 14.5, \u003c 14.7-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-02T18:48:16.053Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2498",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2498"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19793",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19793"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19794",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19794"
}
],
"source": {
"advisory": "GHSA-8cw6-4r32-6r3h",
"discovery": "UNKNOWN"
},
"title": "XWiki Commons may allow privilege escalation to programming rights via user\u0027s first name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-26055",
"datePublished": "2023-03-02T18:48:16.053Z",
"dateReserved": "2023-02-17T22:44:03.151Z",
"dateUpdated": "2024-08-02T11:39:06.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-36471
Vulnerability from cvelistv5
Published
2023-06-29 19:44
Modified
2024-11-26 19:25
Severity ?
EPSS score ?
Summary
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}<input type="hidden" name="content" value="{{groovy}}println("Hello from Groovy!")" />{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. This has been patched in XWiki 14.10.6 and 15.2RC1 by removing the central form-related tags from the list of allowed tags. Users are advised to upgrade. As a workaround an admin can manually disallow the tags by adding `form, input, select, textarea, button` to the configuration option `xml.htmlElementSanitizer.forbidTags` in the `xwiki.properties` configuration file.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v | x_refsource_CONFIRM | |
| https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XCOMMONS-2634 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | xwiki | xwiki-commons |
Version: >= 14.6-rc-1, < 14.10.6 Version: >= 15.0-rc-1, < 15.2-rc-1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2634",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2634"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36471",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T19:25:06.919406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T19:25:17.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.6-rc-1, \u003c 14.10.6"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.2-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}\u003cinput type=\"hidden\" name=\"content\" value=\"{{groovy}}println(\u0026quot;Hello from Groovy!\u0026quot;)\" /\u003e{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. This has been patched in XWiki 14.10.6 and 15.2RC1 by removing the central form-related tags from the list of allowed tags. Users are advised to upgrade. As a workaround an admin can manually disallow the tags by adding `form, input, select, textarea, button` to the configuration option `xml.htmlElementSanitizer.forbidTags` in the `xwiki.properties` configuration file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-29T19:44:27.211Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2634",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2634"
}
],
"source": {
"advisory": "GHSA-6pqf-c99p-758v",
"discovery": "UNKNOWN"
},
"title": "HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36471",
"datePublished": "2023-06-29T19:44:27.211Z",
"dateReserved": "2023-06-21T18:50:41.701Z",
"dateUpdated": "2024-11-26T19:25:17.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-31996
Vulnerability from cvelistv5
Published
2024-04-10 20:46
Modified
2024-08-02 01:59
Severity ?
EPSS score ?
Summary
XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. In a standard XWiki installation, the maintainers are only aware of the document `Panels.PanelLayoutUpdate` that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5 | x_refsource_CONFIRM | |
| https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa | x_refsource_MISC | |
| https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a | x_refsource_MISC | |
| https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XCOMMONS-2828 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XWIKI-21438 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | xwiki | xwiki-commons |
Version: >= 3.0.1, < 14.10.19 Version: >= 15.0-rc-1, < 15.5.4 Version: >= 15.6-rc-1, < 15.9-rc-1 |
|
|
|||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xwiki:commons:3.0.1:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "commons",
"vendor": "xwiki",
"versions": [
{
"lessThan": "14.10.19",
"status": "affected",
"version": "3.0.1",
"versionType": "custom"
},
{
"lessThan": "15.5.4",
"status": "affected",
"version": "15.0-rc-1",
"versionType": "custom"
},
{
"lessThan": "15.9-rc-1",
"status": "affected",
"version": "15.6-rc-1",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-31996",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-03T14:18:52.690268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:36:19.539Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T01:59:50.900Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2828",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2828"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21438",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21438"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.1, \u003c 14.10.19"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.5.4"
},
{
"status": "affected",
"version": "\u003e= 15.6-rc-1, \u003c 15.9-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn\u0027t escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code execution. The vulnerability has been fixed in XWiki 14.10.19, 15.5.5, and 15.9 RC1. Apart from upgrading, there is no generic workaround. However, replacing `$escapetool.html` by `$escapetool.xml` in XWiki documents fixes the vulnerability. In a standard XWiki installation, the maintainers are only aware of the document `Panels.PanelLayoutUpdate` that exposes this vulnerability, patching this document is thus a workaround. Any extension could expose this vulnerability and might thus require patching, too."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-95",
"description": "CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-10T20:46:19.929Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2828",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2828"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-21438",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-21438"
}
],
"source": {
"advisory": "GHSA-hf43-47q4-fhq5",
"discovery": "UNKNOWN"
},
"title": "XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-31996",
"datePublished": "2024-04-10T20:46:19.929Z",
"dateReserved": "2024-04-08T13:48:37.491Z",
"dateUpdated": "2024-08-02T01:59:50.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2022-24898
Vulnerability from cvelistv5
Published
2022-04-28 19:35
Modified
2024-08-03 04:29
Severity ?
EPSS score ?
Summary
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5 | x_refsource_CONFIRM | |
| https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XWIKI-18946 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | xwiki | xwiki-commons |
Version: >= 2.7, < 12.10.10 Version: >= 13.0, < 13.4.4 Version: >= 13.5-rc-1, <= 13.7 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-18946"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.7, \u003c 12.10.10"
},
{
"status": "affected",
"version": "\u003e= 13.0, \u003c 13.4.4"
},
{
"status": "affected",
"version": "\u003e= 13.5-rc-1, \u003c= 13.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-28T19:35:10",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-18946"
}
],
"source": {
"advisory": "GHSA-m2r5-4w96-qxg5",
"discovery": "UNKNOWN"
},
"title": "Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24898",
"STATE": "PUBLIC",
"TITLE": "Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xwiki-commons",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.7, \u003c 12.10.10"
},
{
"version_value": "\u003e= 13.0, \u003c 13.4.4"
},
{
"version_value": "\u003e= 13.5-rc-1, \u003c= 13.7"
}
]
}
}
]
},
"vendor_name": "xwiki"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5",
"refsource": "CONFIRM",
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5",
"refsource": "MISC",
"url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-18946",
"refsource": "MISC",
"url": "https://jira.xwiki.org/browse/XWIKI-18946"
}
]
},
"source": {
"advisory": "GHSA-m2r5-4w96-qxg5",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24898",
"datePublished": "2022-04-28T19:35:10",
"dateReserved": "2022-02-10T00:00:00",
"dateUpdated": "2024-08-03T04:29:00.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-31126
Vulnerability from cvelistv5
Published
2023-05-09 12:53
Modified
2024-08-02 14:45
Severity ?
EPSS score ?
Summary
`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `>` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxv | x_refsource_CONFIRM | |
| https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XCOMMONS-2606 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | xwiki | xwiki-commons |
Version: >= 14.6-rc-1, < 14.10.4 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:45:25.765Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxv"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2606",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2606"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.6-rc-1, \u003c 14.10.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "`org.xwiki.commons:xwiki-commons-xml` is an XML library used by the open-source wiki platform XWiki. The HTML sanitizer, introduced in version 14.6-rc-1, allows the injection of arbitrary HTML code and thus cross-site scripting via invalid data attributes. This vulnerability does not affect restricted cleaning in HTMLCleaner as there attributes are cleaned and thus characters like `/` and `\u003e` are removed in all attribute names. This problem has been patched in XWiki 14.10.4 and 15.0 RC1 by making sure that data attributes only contain allowed characters. There are no known workarounds apart from upgrading to a version including the fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-86",
"description": "CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-05-09T12:53:59.691Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-pv7v-ph6g-3gxv"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/0b8e9c45b7e7457043938f35265b2aa5adc76a68"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2606",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2606"
}
],
"source": {
"advisory": "GHSA-pv7v-ph6g-3gxv",
"discovery": "UNKNOWN"
},
"title": "Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-31126",
"datePublished": "2023-05-09T12:53:59.691Z",
"dateReserved": "2023-04-24T21:44:10.415Z",
"dateUpdated": "2024-08-02T14:45:25.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-29528
Vulnerability from cvelistv5
Published
2023-04-20 17:08
Modified
2024-08-02 14:14
Severity ?
EPSS score ?
Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. There are no known workarounds apart from upgrading to a version including the fix.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h | x_refsource_CONFIRM | |
| https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XCOMMONS-2568 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XWIKI-20348 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | xwiki | xwiki-commons |
Version: >= 4.2-milestone-1, < 14.10 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:14:38.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2568",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2568"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-20348",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-20348"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2-milestone-1, \u003c 14.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Commons are technical libraries common to several other top level XWiki projects. The \"restricted\" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this \"restricted\" mode for security is vulnerable to JavaScript injection (\"cross-site scripting\"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don\u0027t start with `\u003e`. There are no known workarounds apart from upgrading to a version including the fix.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T17:08:50.083Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2568",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2568"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-20348",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-20348"
}
],
"source": {
"advisory": "GHSA-x37v-36wv-6v6h",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29528",
"datePublished": "2023-04-20T17:08:50.083Z",
"dateReserved": "2023-04-07T18:56:54.630Z",
"dateUpdated": "2024-08-02T14:14:38.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-29201
Vulnerability from cvelistv5
Published
2023-04-15 14:24
Modified
2024-08-02 14:00
Severity ?
EPSS score ?
Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `<script>` and `<style>`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `<iframe>`. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode. There are no known workarounds apart from upgrading to a version including the fix.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j | x_refsource_CONFIRM | |
| https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2 | x_refsource_MISC | |
| https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XCOMMONS-1680 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XCOMMONS-2426 | x_refsource_MISC | |
| https://jira.xwiki.org/browse/XWIKI-9118 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | xwiki | xwiki-commons |
Version: >= 4.2-milestone-1, < 14.6-rc-1 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:16.065Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-1680",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-1680"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2426",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2426"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-9118",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-9118"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2-milestone-1, \u003c 14.6-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Commons are technical libraries common to several other top level XWiki projects. The \"restricted\" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `\u003cscript\u003e` and `\u003cstyle\u003e`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `\u003ciframe\u003e`. As a consequence, any code relying on this \"restricted\" mode for security is vulnerable to JavaScript injection (\"cross-site scripting\"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode. There are no known workarounds apart from upgrading to a version including the fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-15T14:24:59.250Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-1680",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-1680"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2426",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2426"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-9118",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-9118"
}
],
"source": {
"advisory": "GHSA-m3jr-cvhj-f35j",
"discovery": "UNKNOWN"
},
"title": "org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29201",
"datePublished": "2023-04-15T14:24:59.250Z",
"dateReserved": "2023-04-03T13:37:18.454Z",
"dateUpdated": "2024-08-02T14:00:16.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}