ghsa

### Impact It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). This will most of the time fill the memory allocated to XWiki and make it unusable every time this document is manipulated. ### Patches It has been patched in XWiki 14.0 ### Workarounds There is no workaround. ### References https://jira.xwiki.org/browse/XWIKI-19223 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [our security mailing list](mailto:[email protected])

### Impact Comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled) but the async macro is not taking into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin as in: {{async}} {{groovy}}println "it works !"{{/groovy}} {{/async}} ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds The only known workaround consists in applying [the following patch](https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006) and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`. ### References * https://jira.xwiki.org/browse/XWIKI-20234 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:[email protected])

### Impact Any user can edit his own profile and inject code which is going to be executed with programming right. Steps to reproduce: * Set your first name to ``` {{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}} ``` The first name appears as interpreted "`Hello from groovy`" instead of the expected fully escaped "`{{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}}`". The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using [Apps Within Minutes](https://extensions.xwiki.org/xwiki/bin/view/Extension/App%20Within%20Minutes%20Application) that use a short text field. ### Patches The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1. ### Workarounds There are no other workarounds than upgrading XWiki or patching the xwiki-commons-xml JAR file. ### References * https://jira.xwiki.org/browse/XWIKI-19793 * https://jira...

### Impact One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content: ``` }}} {{async async="true"}} {{groovy}} println("Hello from Groovy!") {{/groovy}} {{/async}} {{{ ``` Can be done by creating a new page or even through the user profile for users not having edit right. ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds An easy workaround is to actually fix the bug in the page `IconThemesCode.IconThemeSheet` by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45 ### References https://jira.xwiki.org/browse/XWIKI-19731 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:[email protected])

### Impact It's possible to use the right of an existing document content author to execute a text area property. To reproduce: * As an admin with programming rights, create a new user without script or programming right. * Login with the freshly created user. * Insert the following text in source mode in the about section: ``` {{groovy}}println("hello from groovy!"){{/groovy}} ``` * Click "Save & View" ### Patches This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. ### Workarounds No known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20373 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org/) * Email us at [Security ML](mailto:[email protected])

### Impact Users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. ### Patches The issue is applied on versions 14.7-rc-1, 13.4.4, and 13.10.9. ### Workarounds The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, and 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`. ### References - Jira: https://jira.xwiki.org/browse/XWIKI-19949 - Patch: https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8 ### For more information If you have any questions or comments about this advisory: - Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) - Email us at [Security Mailing List](mailto:[email protected])

### Impact Any user with edit right can execute arbitrary database select and access data stored in the database. To reproduce: * In admin, rights, remove scripting rights for {{XWikiAllGroup}}. * Create a new user without any special privileges. * Create a page "Private.WebHome" with {{TOKEN_42}} as content. Go to "page administration" and explicitly set all rights for "Admin" to remove them for all other users. * Logout and login as the unprivileged user. Ensure that the previously created page cannot be viewed. * Create a new page "ExploitClass.WebHome" and then open it in the class editor (first, make the user an advanced user). * Add a field named {{ContentList}} of type {{Database List}} * Enter in field "Hibernate Query" the following content: {noformat}select doc.content, doc.fullName from XWikiDocument as doc where doc.fullName = 'Private.WebHome'{noformat} * Save the class. * Open [http://localhost:8080/xwiki/bin/view/ExploitClass/?xpage=suggest&classname=ExploitCl...

### Impact Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like user email address in staff-authenticated requests. This issue has been patched in versions 3.1.48, 3.7.59, 3.8.30, 3.9.27, 3.10.14 and 3.11.12. ### Workarounds None ### For more information If you have any questions or comments about this advisory: * Open a discussion at https://github.com/saleor/saleor/discussions * Email us at [[email protected]](mailto:[email protected])

### Summary _When you insert a payload inside a label name or instruction of an entry type, an XSS happens in the quick post widget on the admin dashboard._ ### PoC [_Complete instructions, including specific configuration details, to reproduce the vulnerability._](https://user-images.githubusercontent.com/53917092/215604129-d5b75608-5a24-4eb3-906f-55b192310298.mp4) ### Impact Tested with the free version of Craft CMS 4.3.6.1

### Impact The ERC721Consecutive contract designed for minting NFTs in batches does not update balances when a batch has size 1 and consists of a single token. Subsequent transfers from the receiver of that token may overflow the balance as reported by `balanceOf`. The issue exclusively presents with batches of size 1. ### Patches The issue has been patched in 4.8.2. <!-- ### References -->