ghsa

Improper Authentication vulnerability in Apache Software Foundation Apache Accumulo. This issue affects Apache Accumulo: 2.1.0. Accumulo 2.1.0 contains a defect in the user authentication process that may succeed when invalid credentials are provided. Users are advised to upgrade to 2.1.1.

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

### Impact It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. To reproduce: * Add an object of type UIExtensionClass * Set "Extension Point ID" to org.xwiki.platform.help.tipsPanel * Set "Extension ID" to org.xwiki.platform.user.test (needs to be unique but otherwise doesn't matter) * Set "Extension Parameters" to ``` tip={{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} ``` * Set "Extension Scope" to "Current User". * Click "Save & View" * Open the "Help.TipsPanel" document at <xwiki-host>/xwiki/bin/view/Help/TipsPanel where <xwiki-host> is the URL of your XWiki installation and press refresh repeatedly. The groovy macro is executed, after the fix you get an error instead. ### Patches This has been patched in XWiki 15.1-rc-1 and 14.10.5. ### Workarounds There are no known workarounds for it. ### References * https://jira.xwiki....

### Impact If you used the [apiPrefilter](https://remult.dev/docs/ref_entity.html#apiprefilter) option of the `@Entity` decorator, by setting it to a function that returns a filter that prevents unauthorized access to data, an attacker who knows the `id` of an entity instance she is not authorized to access, can gain read, update and delete access to it. ### Patches The issue is fixed in version 0.20.6 ### Workarounds Set the `apiPrefilter` option to a filter object instead of a function. ### References If you're using a minor version < 0.20 and require a patch, please create an issue.

### Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as: > <hostname>/xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert(document.domain) This vulnerability exists since XWiki 6.1-rc-1. ### Patches The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. ### Workarounds It's possible to workaround the vulnerability by editing the template previewactions.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets. ### References * Jira ticket about the vulnerability: https://jira.xwiki.org/browse/XWIKI-20342 * Introduction of the macro used for fixing this type of vulnerability: https://jira.xwiki.org/browse/XWIKI-20583 * Commit containing the actual fix in the template: http...

### Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser: `<xwiki-host>/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.`, where `<xwiki-host>` is the URL of your XWiki installation. See https://jira.xwiki.org/browse/XWIKI-20370 for me details. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. ### Workarounds The fix is only impacting Velocity templates and page contents, so applying this [patch](https://github.com/xwiki/xwiki-platform/commit/ca88ebdefb2c9fa41490959cce9f9e62404799e7) is enough to fix the issue. ### References https://jira.xwiki.org/browse/XWIKI-20370 ### For more information If you have any questions or comm...

### Impact A stored XSS can be exploited by users with edit rights by adding a `AppWithinMinutes.FormFieldCategoryClass` class on a page and setting the payload on the page title. Then, any user visiting `/xwiki/bin/view/AppWithinMinutes/ClassEditSheet` executes the payload. See https://jira.xwiki.org/browse/XWIKI-20365 for me details. ### Patches The issue has been patched on XWiki 14.4.8, 14.10.4, and 15.0 ? ### Workarounds The issue can be fixed by updating `AppWithinMinutes.ClassEditSheet` with this [patch](https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302). ### References - https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302 - https://jira.xwiki.org/browse/XWIKI-20365 ### For more information If you have any questions or comments about this advisory: * Open an ...

### Impact Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. ### Patches The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. ### Workarounds The vulnerability can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49). On versions before 13.4-rc-1, the fix needs to be applied on [XWiki.Like.Code.LiveTableResultPage](https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39). ### References - The reported issue https://jira.xwiki.org/browse/XWIKI-20611, fixed by https://jira.xwiki.org/browse/XWIKI-19900 - The patch https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a...

### Impact Any user can call a REST endpoint and obtain the obfuscated passwords (even when the mail obfuscation is activated). For instance, by calling http://localhost:8080/xwiki/rest/wikis/xwiki/spaces/XWiki/pages/U1/objects/XWiki.XWikiUsers/0 when user `U1` exists on wiki `xwiki`. ### Patches The issue has been patched on XWiki 14.4.8, 14.10.6, and 15.1 ### Workarounds There is no known workaround. It is advised to upgrade to one of the patched versions. ### References - https://jira.xwiki.org/browse/XWIKI-16138 - https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

### Impact Any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. See the example below: Open `<xwiki-host>/xwiki/bin/view/%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=Invitation.InvitationGuestActions&xpage=view` where `<xwiki-host>` is the URL of your XWiki installation. ### Patches The problem as been patching on XWiki 15.0, 14.10.4 and 14.4.8. ### Workarounds It is possible to partially fix the issue by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a). Note that some additional issue can remain and can be fixed automatically by a migration. Hence, it is advised to upgrade to one of the patched version instead of patching manually. ### Refere...