Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27480: XWIKI-20320: Disallow DOCTYPE in the XAR descriptor · xwiki/xwiki-platform@e3527b9

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit rights on a document can trigger an XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. Users unable to upgrade may apply the patch e3527b98fd manually.

CVE
#vulnerability#apache#git

Skip to content

    • Actions

      Automate any workflow

    • Packages

      Host and manage packages

    • Security

      Find and fix vulnerabilities

    • Codespaces

      Instant dev environments

    • Copilot

      Write better code with AI

    • Code review

      Manage code changes

    • Issues

      Plan and track work

    • Discussions

      Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog
    • For

    • Enterprise

    • Teams

    • Startups

    • Education

    • By Solution

    • CI/CD & Automation

    • DevOps

    • DevSecOps

    • Case Studies

    • Customer Stories

    • Resources

    • GitHub Sponsors

      Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections
  • Pricing

  • Notifications

  • Fork 447

  • Code

  • Pull requests 55

  • Actions

  • Projects

  • Security

  • Insights

Permalink

Browse files

XWIKI-20320: Disallow DOCTYPE in the XAR descriptor

  • Loading branch information

Showing 1 changed file with 2 additions and 0 deletions.

@@ -515,6 +515,8 @@ public void readDescriptor(InputStream stream) throws XarException, IOException

DocumentBuilder dBuilder;

try {

// Prevent XXE attack

dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

dBuilder = dbFactory.newDocumentBuilder();

} catch (ParserConfigurationException e) {

throw new XarException("Failed to create a new Document builder", e);

0 comments on commit e3527b9

Please sign in to comment.

Related news

GHSA-gx4f-976g-7g6v: XWiki Platform vulnerable to data leak via Improper Restriction of XML External Entity Reference

### Impact Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. Example to reproduce: * Create a forget XAR file and inside it, have the following `package.xml` content: ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <package> <infos> <name>&xxe;</name> <description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description> <licence></licence> <author>XWiki.Admin</author> ... ``` * Upload it onto a wiki page (e.g. `XXE`) as an attachment (e.g. `test.xar`). * Call the page using `http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar` You'll then notice that the displayed UI contains the content of the `/etc/passwd` file. ### Patches The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. ### Workarounds You'd...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907