#maven

The SlingRequestDispatcher doesn't correctly implement the RequestDispatcher API resulting in a generic type of include-based cross-site scripting issues on the Apache Sling level. The vulnerability is exploitable by an attacker that is able to include a resource with specific content-type and control the include path (i.e. writing content). The impact of a successful attack is privilege escalation to administrative power. Please update to Apache Sling Engine version 2.14.0 or newer and enable the "Check Content-Type overrides" configuration option.

With deps.dev API and Assured OSS, Google is addressing the common challenges software developers face in securing the software supply chain.

### Impact The [Livetable Macro](https://extensions.xwiki.org/xwiki/bin/view/Extension/Livetable%20Macro) wasn't properly sanitizing column names, thus allowing the insertion of raw HTML code including JavaScript. This vulnerability was also exploitable via the [Documents Macro](https://extensions.xwiki.org/xwiki/bin/view/Extension/Documents%20Macro) that is included since XWiki 3.5M1 and doesn't require script rights, this can be demonstrated with the syntax `{{documents id="example" count="5" actions="false" columns="doc.title, before<script>alert(1)</script>after"/}}`. Therefore, this can also be exploited by users without script right and in comments. With the interaction of a user with more rights, this could be used to execute arbitrary actions in the wiki, including privilege escalation, remote code execution, information disclosure, modifying or deleting content. ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds It is possible to apply the...

### Impact It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with `uorgsuggest.vm`. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked. ### Patches The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1. ### Workarounds It's possible to workaround this vulnerability by patching directly `uorgsuggest.vm ` to apply the same changes as in https://github.com/xwiki/xwiki-platform/pull/1883. ### References * JIRA ticket: https://jira.xwiki.org/browse/XWIKI-20007 * this vulnerability is actually a remaining of https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf which wasn't entirely fixed back then ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org)...

### Impact There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. ### Patches This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right. ### Workarounds The only known workaround consists in applying [the following patch](https://github.com/xwiki/xwiki-platform/commit/fe65bc35d5672dd2505b7ac4ec42aec57d500fbb) and rebuilding and redeploying `xwiki-platform-skin-skinx`. ### References * https://jira.xwiki.org/browse/XWIKI-19514 * https://jira.xwiki.org/browse/XWIKI-9119 * https://jira.xwiki.org/browse/XWIKI-19583 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:security@x...

### Impact The HTML macro does not systematically perform a proper neutralization of script-related html tags. As a result, any user able to use the html macro in XWiki, is able to introduce an XSS attack. This can be particularly dangerous since in a standard wiki, any user is able to use the html macro directly in their own user profile page. ### Patches The problem has been patched in XWiki 14.8RC1. The patch involve that the HTML macro are systematically cleaned up whenever the user does not have script right. ### Workarounds There's no workaround for this issue. ### References * https://jira.xwiki.org/browse/XWIKI-18568 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])

### Impact It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`). It was also possible to bypass it when using URL such as `http:/mydomain.com`. ### Patches The problem has been patched on XWiki 13.10.10, 14.4.4 and 14.8RC1. ### Workarounds The only way to workaround the bug is by providing a patched jar of xwiki-platform-oldcore containing the following changes: https://github.com/xwiki/xwiki-platform/commit/e4f7f68e93cb08c25632c126356d218abf192d1e#diff-c445f288d5d63424f56ef13f65514ab4e174a72e979b53b88197c2b7def267cf. ### References * Jira ticket of the reported vulnerability: https://jira.xwiki.org/browse/XWIKI-19994 * Jira ticket of the original mechanism put in place to prevent open redirect: https://jira.xwiki.org/browse/XWIKI-10309 * Original advisory about open redirect: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp55-vvmf-63mv ### For ...

### Impact Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the section ids in `XWiki.AdminFieldsDisplaySheet`. This page is installed by default. Reproduction steps are described in https://jira.xwiki.org/browse/XWIKI-20261 ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede) on `XWiki.AdminFieldsDisplaySheet`. ### References - https://jira.xwiki.org/browse/XWIKI-20261 - https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at ...

### Impact The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. Example of such attack: ``` {{velocity}} $doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}') $doc.authors.setContentAuthor('xwiki:XWiki.superadmin') $doc.getRenderedContent() {{/velocity}} ``` ### Patches The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API. ### Workarounds There no easy workaround apart of upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-20380 * https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])

### Impact It was possible to inject some code using the URL of authenticate endpoints, e.g.: ``` https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword ``` This vulnerability was present in recent versions of XWiki: - 13.10.8+ - 14.4.3+ - 14.6+ ### Patches This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10. ### Workarounds There is no easy workaround except to upgrade. ### References - https://jira.xwiki.org/browse/XWIKI-20335 - https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security mailing-list](mailto:[email protected])