#maven

New report offers valuable resource to help organizations evaluate the safety and reliability of open-source packages.

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.

### Description When adding non-visible components to the UI in server side, content is sent to the browser in Vaadin 10.0.0 through 10.0.22, 11.0.0 through 14.10.0, 15.0.0 through 22.0.28, 23.0.0 through 23.3.12, 24.0.0 through 24.0.5 and 24.1.0.alpha1 to 24.1.0.beta1, resulting in potential information disclosure. * https://vaadin.com/security/cve-2023-25499

### Description Possible information disclosure in Vaadin 10.0.0 to 10.0.23, 11.0.0 to 14.10.1, 15.0.0 to 22.0.28, 23.0.0 to 23.3.13, 24.0.0 to 24.0.6, 24.1.0.alpha1 to 24.1.0.rc2, resulting in potential information disclosure of class and method names in RPC responses by sending modified requests. https://vaadin.com/security/cve-2023-25500

### Coordinated Disclosure Timeline - 10.06.2023: Issue reported to IntellectualSites - 11.06.2023: Issue is acknowledged - 12.06.2023: Issue has been fixed - 22.06.2023: Advisory has been published ### Impacted version range Before 2.6.3 ### Details #### Proof of Concept As a user, do the following: 1. Select position 1 via `//pos1` 2. Select position 2 adding the "Infinity" keyword via `//pos2 Infinity` 3. Execute any further operation. The steps 1 and 2 are interchangeable. #### Impact Such a task has a possibility of bringing the performing server down. #### CVE - CVE-2023-35925 #### Credit This issue was discovered and [reported](https://github.com/IntellectualSites/.github/blob/main/SECURITY.md) by @SuperMonis. ### Solution On June 12, 2023, a patch, https://github.com/IntellectualSites/FastAsyncWorldEdit/pull/2285, has been merged addressing the vulnerability. We strongly recommend users to update their version of FastAsyncWorldEdit to 2.6.3 as soon as possible. ...

### Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain) This vulnerability exists since XWiki 6.2-milestone-1. ### Patches The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. ### Workarounds It's possible to workaround the vulnerability by editing the page AppWithinMinutes.DeleteApplication to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets. ### References * Jira ticket about the vulnerability: https://jira.xwiki.org/browse/XWIKI-20614 * Introduction of the macro used for fixing all those vulnerabilities: https://jira.xwiki.org/browse/XWIKI-20583 * Commit containing the actual fix in the page...

### Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/XWiki/Main?xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain) This vulnerability exists since XWiki 2.5-milestone-2. ### Patches The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. ### Workarounds It's possible to workaround the vulnerability by editing the template resubmit.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets. ### References * Jira ticket about the vulnerability: https://jira.xwiki.org/browse/XWIKI-20343 * Introduction of the macro used for fixing all those vulnerabilities: https://jira.xwiki.org/browse/XWIKI-20583 * Commit containing the actual fix in the page: https://github.co...

### Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain) This vulnerability exists since XWiki 3.4-milestone-1. ### Patches The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. ### Workarounds It's possible to workaround the vulnerability by editing the template deletespace.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets. ### References * Jira ticket about the vulnerability: https://jira.xwiki.org/browse/XWIKI-20612 * Introduction of the macro used for fixing all those vulnerabilities: https://jira.xwiki.org/browse/XWIKI-20583 * Commit containing the actual fix in the template: https://github.com/xwiki/xwiki-platform/commit/5c20ff5e3bd...

### Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the restore template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain) This vulnerability exists since XWiki 9.4-rc-1. ### Patches The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1. ### Workarounds It's possible to workaround the vulnerability by editing the template restore.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki. See the referenced jira tickets. ### References * Vulnerability in restore template: https://jira.xwiki.org/browse/XWIKI-20352 * Introduction of the macro used for fixing this vulnerability: https://jira.xwiki.org/browse/XWIKI-20583 * Commit containing the actual fix in the template: https://github.com/xwiki/xwiki-platform/commit/d5472100...

### Impact It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. ### Patches The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6. ### Workarounds There's no workaround for this other than upgrading XWiki. ### References * Jira ticket: https://jira.xwiki.org/browse/XWIKI-20339 * Commit containing the fix: https://github.com/xwiki/xwiki-platform/commit/35e9073ffec567861e0abeea072bd97921a3decf ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])