Vulnerabilites related to xwiki - commons
Vulnerability from fkie_nvd
Published
2022-04-28 20:15
Modified
2024-11-21 06:51
Severity ?
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.9 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Summary
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5 | Third Party Advisory | |
| security-advisories@github.com | https://jira.xwiki.org/browse/XWIKI-18946 | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.xwiki.org/browse/XWIKI-18946 | Exploit, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0A4F402B-57B2-40BF-BFC8-D07CEA411260",
"versionEndExcluding": "12.10.10",
"versionStartIncluding": "2.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F86A6141-13AB-4AE8-BF7C-76F7E03A5A1D",
"versionEndExcluding": "13.4.4",
"versionStartIncluding": "13.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CCB47D33-43C0-4469-BCF9-D6518C22CB41",
"versionEndExcluding": "13.8",
"versionStartIncluding": "13.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights."
},
{
"lang": "es",
"value": "org.xwiki.commons:xwiki-commons-xml es un m\u00f3dulo com\u00fan usado por otros proyectos de primer nivel de XWiki. A partir de la versi\u00f3n 2.7 y versiones anteriores a 12.10.10, 13.4.4 y 13.8-rc-1, es posible que un script acceda a cualquier archivo que acceda al usuario que ejecuta el servidor de aplicaciones XWiki con XML External Entity Injection mediante el servicio de script XML. El problema ha sido parcheado en versiones 12.10.10, 13.4.4 y 13.8-rc-1. No se presenta una medida de mitigaci\u00f3n f\u00e1cil para arreglar esta vulnerabilidad, aparte de actualizar y tener cuidado cuando son dados derechos de Script"
}
],
"id": "CVE-2022-24898",
"lastModified": "2024-11-21T06:51:20.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-04-28T20:15:07.813",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-18946"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-18946"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-03-02 19:15
Modified
2024-11-21 07:50
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h | Exploit, Vendor Advisory | |
| security-advisories@github.com | https://jira.xwiki.org/browse/XCOMMONS-2498 | Issue Tracking, Patch, Vendor Advisory | |
| security-advisories@github.com | https://jira.xwiki.org/browse/XWIKI-19793 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| security-advisories@github.com | https://jira.xwiki.org/browse/XWIKI-19794 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h | Exploit, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.xwiki.org/browse/XCOMMONS-2498 | Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.xwiki.org/browse/XWIKI-19793 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.xwiki.org/browse/XWIKI-19794 | Exploit, Issue Tracking, Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3E30C43-2D72-41AB-BE10-AA767A6DBF0E",
"versionEndExcluding": "13.10.9",
"versionStartIncluding": "3.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*",
"matchCriteriaId": "83497DF7-F317-4BDE-9A31-AC5222C04C70",
"versionEndExcluding": "14.4.4",
"versionStartIncluding": "14.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DF029B4B-7633-425B-AEFA-F71482CB1857",
"versionEndExcluding": "14.7",
"versionStartIncluding": "14.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:3.1:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "4D52F455-D215-49B5-A91D-D3F3CD6D6D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:3.1:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "728B6761-BA45-480C-8374-28B93B7CF78E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BB77C57C-BE72-4917-A374-E36F2165BCCD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:14.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "DB29BA36-84FA-423A-8D56-E5CFEFF696E5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.\n"
}
],
"id": "CVE-2023-26055",
"lastModified": "2024-11-21T07:50:40.323",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-02T19:15:10.867",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2498"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19793"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19794"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2498"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19793"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19794"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-150"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-29 20:15
Modified
2024-11-21 08:09
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}<input type="hidden" name="content" value="{{groovy}}println("Hello from Groovy!")" />{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. This has been patched in XWiki 14.10.6 and 15.2RC1 by removing the central form-related tags from the list of allowed tags. Users are advised to upgrade. As a workaround an admin can manually disallow the tags by adding `form, input, select, textarea, button` to the configuration option `xml.htmlElementSanitizer.forbidTags` in the `xwiki.properties` configuration file.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3 | Patch | |
| security-advisories@github.com | https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v | Exploit, Mitigation, Vendor Advisory | |
| security-advisories@github.com | https://jira.xwiki.org/browse/XCOMMONS-2634 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v | Exploit, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://jira.xwiki.org/browse/XCOMMONS-2634 | Exploit, Issue Tracking, Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*",
"matchCriteriaId": "28D2C022-6760-4865-B087-19EB62B226A3",
"versionEndExcluding": "14.10.6",
"versionStartIncluding": "14.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:15.0:-:*:*:*:*:*:*",
"matchCriteriaId": "B5E0E97B-07B7-43D5-BF0B-A20F41AB1B5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:15.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "3686A321-60C2-4BCE-8D0B-32F56D1D2C63",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:15.1:-:*:*:*:*:*:*",
"matchCriteriaId": "0E3494D6-09D1-426B-BC58-5B11F2371645",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:15.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "C4FFC387-3B28-4875-819C-B0847083CD55",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}\u003cinput type=\"hidden\" name=\"content\" value=\"{{groovy}}println(\u0026quot;Hello from Groovy!\u0026quot;)\" /\u003e{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. This has been patched in XWiki 14.10.6 and 15.2RC1 by removing the central form-related tags from the list of allowed tags. Users are advised to upgrade. As a workaround an admin can manually disallow the tags by adding `form, input, select, textarea, button` to the configuration option `xml.htmlElementSanitizer.forbidTags` in the `xwiki.properties` configuration file."
}
],
"id": "CVE-2023-36471",
"lastModified": "2024-11-21T08:09:46.877",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-29T20:15:10.003",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2634"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2634"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-04-20 18:15
Modified
2024-11-21 07:57
Severity ?
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
9.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. There are no known workarounds apart from upgrading to a version including the fix.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03911D90-117F-4EFD-9CA9-D6F653CB1D48",
"versionEndExcluding": "14.10",
"versionStartIncluding": "4.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:4.2:-:*:*:*:*:*:*",
"matchCriteriaId": "C514853A-989A-4BED-A653-D1578DB40157",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:4.2:milestone1:*:*:*:*:*:*",
"matchCriteriaId": "36E79F9F-67BC-4E06-9882-DEA941AEF84B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:4.2:milestone2:*:*:*:*:*:*",
"matchCriteriaId": "9BE5ECE0-5A68-4B4F-9752-8C2F46AE9009",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:4.2:milestone3:*:*:*:*:*:*",
"matchCriteriaId": "60F8E581-DBE8-407C-970A-0ED230F074BB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:xwiki:commons:4.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "8D23E926-03F5-4EC0-B8D7-434F97D01A8B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "XWiki Commons are technical libraries common to several other top level XWiki projects. The \"restricted\" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this \"restricted\" mode for security is vulnerable to JavaScript injection (\"cross-site scripting\"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don\u0027t start with `\u003e`. There are no known workarounds apart from upgrading to a version including the fix.\n"
}
],
"id": "CVE-2023-29528",
"lastModified": "2024-11-21T07:57:14.260",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-04-20T18:15:07.307",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2568"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-20348"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2568"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://jira.xwiki.org/browse/XWIKI-20348"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
CVE-2022-24898 (GCVE-0-2022-24898)
Vulnerability from cvelistv5
Published
2022-04-28 19:35
Modified
2025-04-22 18:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Summary
org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-commons |
Version: >= 2.7, < 12.10.10 Version: >= 13.0, < 13.4.4 Version: >= 13.5-rc-1, <= 13.7 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:29:00.939Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-18946"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-24898",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:48:15.064637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T18:02:24.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.7, \u003c 12.10.10"
},
{
"status": "affected",
"version": "\u003e= 13.0, \u003c 13.4.4"
},
{
"status": "affected",
"version": "\u003e= 13.5-rc-1, \u003c= 13.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-28T19:35:10.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-18946"
}
],
"source": {
"advisory": "GHSA-m2r5-4w96-qxg5",
"discovery": "UNKNOWN"
},
"title": "Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24898",
"STATE": "PUBLIC",
"TITLE": "Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "xwiki-commons",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.7, \u003c 12.10.10"
},
{
"version_value": "\u003e= 13.0, \u003c 13.4.4"
},
{
"version_value": "\u003e= 13.5-rc-1, \u003c= 13.7"
}
]
}
}
]
},
"vendor_name": "xwiki"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5",
"refsource": "CONFIRM",
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m2r5-4w96-qxg5"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5",
"refsource": "MISC",
"url": "https://github.com/xwiki/xwiki-commons/commit/947e8921ebd95462d5a7928f397dd1b64f77c7d5"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-18946",
"refsource": "MISC",
"url": "https://jira.xwiki.org/browse/XWIKI-18946"
}
]
},
"source": {
"advisory": "GHSA-m2r5-4w96-qxg5",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-24898",
"datePublished": "2022-04-28T19:35:10.000Z",
"dateReserved": "2022-02-10T00:00:00.000Z",
"dateUpdated": "2025-04-22T18:02:24.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29528 (GCVE-0-2023-29528)
Vulnerability from cvelistv5
Published
2023-04-20 17:08
Modified
2025-02-04 21:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. There are no known workarounds apart from upgrading to a version including the fix.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-commons |
Version: >= 4.2-milestone-1, < 14.10 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:14:38.615Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2568",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2568"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-20348",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-20348"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29528",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-04T21:35:34.370585Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-04T21:35:41.897Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2-milestone-1, \u003c 14.10"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Commons are technical libraries common to several other top level XWiki projects. The \"restricted\" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this \"restricted\" mode for security is vulnerable to JavaScript injection (\"cross-site scripting\"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don\u0027t start with `\u003e`. There are no known workarounds apart from upgrading to a version including the fix.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-20T17:08:50.083Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2568",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2568"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-20348",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-20348"
}
],
"source": {
"advisory": "GHSA-x37v-36wv-6v6h",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-29528",
"datePublished": "2023-04-20T17:08:50.083Z",
"dateReserved": "2023-04-07T18:56:54.630Z",
"dateUpdated": "2025-02-04T21:35:41.897Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-36471 (GCVE-0-2023-36471)
Vulnerability from cvelistv5
Published
2023-06-29 19:44
Modified
2024-11-26 19:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Summary
Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}<input type="hidden" name="content" value="{{groovy}}println("Hello from Groovy!")" />{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. This has been patched in XWiki 14.10.6 and 15.2RC1 by removing the central form-related tags from the list of allowed tags. Users are advised to upgrade. As a workaround an admin can manually disallow the tags by adding `form, input, select, textarea, button` to the configuration option `xml.htmlElementSanitizer.forbidTags` in the `xwiki.properties` configuration file.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-commons |
Version: >= 14.6-rc-1, < 14.10.6 Version: >= 15.0-rc-1, < 15.2-rc-1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T16:45:56.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2634",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2634"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-36471",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-26T19:25:06.919406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-26T19:25:17.668Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 14.6-rc-1, \u003c 14.10.6"
},
{
"status": "affected",
"version": "\u003e= 15.0-rc-1, \u003c 15.2-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Xwiki commons is the common modules used by other XWiki top level projects. The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}\u003cinput type=\"hidden\" name=\"content\" value=\"{{groovy}}println(\u0026quot;Hello from Groovy!\u0026quot;)\" /\u003e{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. This has been patched in XWiki 14.10.6 and 15.2RC1 by removing the central form-related tags from the list of allowed tags. Users are advised to upgrade. As a workaround an admin can manually disallow the tags by adding `form, input, select, textarea, button` to the configuration option `xml.htmlElementSanitizer.forbidTags` in the `xwiki.properties` configuration file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-29T19:44:27.211Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v"
},
{
"name": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2634",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2634"
}
],
"source": {
"advisory": "GHSA-6pqf-c99p-758v",
"discovery": "UNKNOWN"
},
"title": "HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-36471",
"datePublished": "2023-06-29T19:44:27.211Z",
"dateReserved": "2023-06-21T18:50:41.701Z",
"dateUpdated": "2024-11-26T19:25:17.668Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-26055 (GCVE-0-2023-26055)
Vulnerability from cvelistv5
Published
2023-03-02 18:48
Modified
2025-03-05 20:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences
Summary
XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xwiki | xwiki-commons |
Version: >= 3.1-milestone-1, < 13.10.9 Version: >= 14.0-rc-1, < 14.4.4 Version: >= 14.5, < 14.7-rc-1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.565Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2498",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2498"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19793",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19793"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19794",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19794"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-26055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-05T20:39:11.635057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-05T20:39:15.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "xwiki-commons",
"vendor": "xwiki",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.1-milestone-1, \u003c 13.10.9"
},
{
"status": "affected",
"version": "\u003e= 14.0-rc-1, \u003c 14.4.4"
},
{
"status": "affected",
"version": "\u003e= 14.5, \u003c 14.7-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-150",
"description": "CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-02T18:48:16.053Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-8cw6-4r32-6r3h"
},
{
"name": "https://jira.xwiki.org/browse/XCOMMONS-2498",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XCOMMONS-2498"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19793",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19793"
},
{
"name": "https://jira.xwiki.org/browse/XWIKI-19794",
"tags": [
"x_refsource_MISC"
],
"url": "https://jira.xwiki.org/browse/XWIKI-19794"
}
],
"source": {
"advisory": "GHSA-8cw6-4r32-6r3h",
"discovery": "UNKNOWN"
},
"title": "XWiki Commons may allow privilege escalation to programming rights via user\u0027s first name"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-26055",
"datePublished": "2023-03-02T18:48:16.053Z",
"dateReserved": "2023-02-17T22:44:03.151Z",
"dateUpdated": "2025-03-05T20:39:15.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}