Security
Headlines
HeadlinesLatestCVEs

Tag

#maven

GHSA-9jq5-xwqw-q8j3: XWiki Platform vulnerable to page render failure due to broken translations

### Impact It's possible to break many translations coming from wiki pages by creating a corrupted document containing a translation object. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds There is no other workaround other than fixing any way to create a document that fail to load. ### References https://jira.xwiki.org/browse/XWIKI-20460 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

ghsa
Open in Source
#vulnerability#git#java#jira#maven
GHSA-3hjg-cghv-22ww: org.xwiki.platform:xwiki-platform-attachment-ui vulnerable to Code Injection

### Impact A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. ### Patches The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. ### Workarounds The problem can be worked around by applying following changes directly in XWiki.AttachmentSelector page: https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1. ### References * https://jira.xwiki.org/browse/XWIKI-20364 * https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-px54-3w5j-qjg9: XWiki Platform vulnerable to privilege escalation from view right using Invitation.InvitationCommon

### Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Invitation.InvitationCommon`. This page is installed by default. See https://jira.xwiki.org/browse/XWIKI-20283 for the reproduction steps. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf) on `Invitation.InvitationCommon`. ### References - https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf - https://jira.xwiki.org/browse/XWIKI-20283 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-m3c3-9qj7-7xmx: Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-office-viewer

### Impact The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine (e.g. tomcat) running XWiki. The same vulnerability also allowed to perform internal requests to resources from the hosting server. ### Patches The problem has been patched in XWiki 13.10.11, 14.10.1, 14.4.8, 15.0-rc-1. ### Workarounds It might be possible to workaround this vulnerability by running XWiki in a sandbox with a user with very low privileges on the machine, now to run a servlet engine the user will always need access to some files, so in any case this workaround won't protect all files to be accessed. ### References * Original jira ticket: https://jira.xwiki.org/browse/XWIKI-20447 * Jira ticket related to another exploit using same root cause: https://jira.xwiki.org/browse/XWIKI-20324 * Jira ticket related to the possibility to explo...

GHSA-3989-4c6x-725f: XWiki Platform vulnerable to privilege escalation from view right on XWiki.AttachmentSelector

### Impact Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. See https://jira.xwiki.org/browse/XWIKI-20275 for the reproduction steps. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996) on `XWiki.AttachmentSelector`. ### References - https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996 - https://jira.xwiki.org/browse/XWIKI-20275 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailt...

GHSA-9j36-3cp4-rh4j: XWiki vulnerable to Code Injection in template provider administration

### Impact Any user with edit rights on any document (e.g., the own user profile) can execute code with programming rights, leading to remote code execution by following these steps: 1. Set the title of any document you can edit (can be the user profile) to ``` {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} ``` 2. Use the object editor to add an object of type `XWiki.TemplateProviderClass` (named "Template Provider Class") to that document. 3. Go to another document you can view (can be the home page) and append `?sheet=XWiki.AdminTemplatesSheet` to the URL. When the attack is successful, a template with name "Hello from groovy!" is displayed in the list while on fixed systems, the full title should be displayed. ### Patches This vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1. ### Workarounds The vulnerability can be fixed by patching the code in the affected XWiki...

GHSA-fp36-mjw5-fmgx: xwiki-platform-web-templates allows users to be created even when registration is disabled without validation via template macro

### Impact If a guest has view rights on any document, it's possible to create a new user using the `distribution/firstadminuser.wiki` in the wrong context. To reproduce: * On a wiki with view rights for guests but user registration disabled, open as guest <server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%2F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7Btemplate+name%3D%22distribution%2Ffirstadminuser.wiki%22+%2F%7D%7D where <server> is the URL of your XWiki installation. * Enter username and password of your choice. * Click "Register and login" ### Patches The vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.1. ### Workarounds There is no known workaround other than upgrading. ### References https://jira.xwiki.org/browse/XWIKI-19852 https://jira.xwiki.org/browse/XWIKI-20400 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwik...

GHSA-x37v-36wv-6v6h: Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml

### Impact The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). An example are anonymous comments in XWiki where the HTML macro filters HTML using restricted mode: ```html {{html}} <!--> <Details Open OnToggle=confirm("XSS")> {{/html}} ``` When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. Note that while all versions since 4.2-milestone-1 should be vulnerable, only starting with version 14.6-rc-1 the HTML comment is...

CVE-2021-43819: Product improperly handles vehicles when operating on MC 1.12.2+, causing data and passenger duplication.

Stargate-Bukkit is a mod for the minecraft video game which adds a portal focused environment. In affected versions Minecarts with chests will drop their items when teleporting through a portal; when they reappear, they will still have their items impacting the integrity of the game world. The teleport code has since been rewritten and is available in release `0.11.5.1`. Users are advised to upgrade. There are no known workarounds for this issue.

CVE-2023-29514: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in template provider administration

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on any document (e.g., their own user profile) can execute code with programming rights, leading to remote code execution. This vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this vulnerability.