#maven

### Impact The HTML sanitizer that is included in XWiki since version 14.6RC1 allowed form and input HTML tags. In the context of XWiki, this allows an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet, the attacker could add an input like `{{html}}<input type="hidden" name="content" value="{{groovy}}println(&quot;Hello from Groovy!&quot;)" />{{/html}}` that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. ### Patches This has been patched in XWiki 14.10.6 and 15.2RC1 by removing the central form-related tags from the list of allowed tags. ### Workarounds An admin can manually disallow the tags by adding `form, input, select, textarea, button` to the con...

### Effect Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to perform a variety of harmful actions, such as - removing technical documents, leading to loss of service - Editing the javascript configuration of CKEditor, leading to persistent XSS ### Patches This issue has been patched in XWiki 14.10.6 and XWiki 15.1. This issue has been patched on the CKEditor Integration extension 1.64.9 for XWiki version older than 14.6RC1. ### Workarounds The issue can be fixed manually by restricting the `edit` and `delete` rights to a trusted user or group (e.g. the `XWiki.XWikiAdminGroup` group), implicitly disabling those rights for all other users. See https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f ### References - https://jira.xwiki.org/browse/XWIKI-20590 - https://jira.xwiki.org/browse/CKEDITOR-508 - https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f ### For more info...

When a Keycloak server is configured to support mTLS authentication for OAuth/OpenID clients, it does not properly verify the client certificate chain. A client that possesses a proper certificate can authorize itself as any other client and therefore access data that belongs to other clients.

AssertionConsumerServiceURL is a Java implementation for SAML Service Providers (org.keycloak.protocol.saml). Affected versions of this package are vulnerable to Cross-site Scripting (XSS). AssertionConsumerServiceURL allows XSS when sending a crafted SAML XML request.

New report offers valuable resource to help organizations evaluate the safety and reliability of open-source packages.

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.

### Description When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure. * https://vaadin.com/security/cve-2023-25499

### Description Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. https://vaadin.com/security/cve-2023-25500

### Coordinated Disclosure Timeline - 10.06.2023: Issue reported to IntellectualSites - 11.06.2023: Issue is acknowledged - 12.06.2023: Issue has been fixed - 22.06.2023: Advisory has been published ### Impacted version range Before 2.6.3 ### Details #### Proof of Concept As a user, do the following: 1. Select position 1 via `//pos1` 2. Select position 2 adding the "Infinity" keyword via `//pos2 Infinity` 3. Execute any further operation. The steps 1 and 2 are interchangeable. #### Impact Such a task has a possibility of bringing the performing server down. #### CVE - CVE-2023-35925 #### Credit This issue was discovered and [reported](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md) by @SuperMonis. ### Solution On June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability. We strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible. ...

### Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain) This vulnerability exists since XWiki 6.2-milestone-1. ### Patches The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. ### Workarounds It's possible to workaround the vulnerability by editing the page AppWithinMinutes.DeleteApplication to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets. ### References * Jira ticket about the vulnerability: https://jira.xwiki.org/browse/XWIKI-20614 * Introduction of the macro used for fixing all those vulnerabilities: https://jira.xwiki.org/browse/XWIKI-20583 * Commit containing the actual fix in the page...