SB2022112156 - Multiple vulnerabilities in XWiki platform

Description

This security bulletin contains information about 85 vulnerabilities.

1) Incorrect authorization (CVE-ID: CVE-2023-41046)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information and modify data.

The vulnerability exists due to improper access control in TextArea properties with the "VelocityCode" or "VelocityWiki" content type when adding the property to an object. A remote user can create an XClass with such a property to disclose sensitive information and modify data.

For the "VelocityCode" case, the document syntax must be set to xwiki/1.0. The executed code runs with the context author and cannot access privileged APIs.

2) Improper access control (CVE-ID: CVE-2023-40573)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in Groovy scheduled jobs when checking the content author for programming right and triggering jobs through the scheduler. A remote user can create or modify a Groovy job in a document whose content was last changed by a user with programming right and trigger it via a crafted request to execute arbitrary code.

User interaction is required, and exploitation requires edit right on a document whose content was last changed by a user with programming right.

3) Cross-site request forgery (CVE-ID: CVE-2023-40572)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to cross-site request forgery in the create action when handling crafted create requests embedded in XWiki syntax content. A remote user can place a specially crafted image reference in content that supports XWiki syntax to execute arbitrary code.

User interaction is required, and exploitation succeeds when a user with script or programming right views the crafted content.

4) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2023-37911)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in deleted document revisions when accessing deleted revisions through the diff feature or the REST API. A remote user can request versions such as deleted:1 to disclose sensitive information.

The issue occurs when a document has been deleted and re-created, and can also affect any deleted document if the user can re-create it in the original location.

5) Transmission of Private Resources into a New Sphere ('Resource Leak') (CVE-ID: CVE-2023-38509)

CWE-ID: CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to transmission of private resources into a new sphere in the live table email sorting functionality when handling sorting of obfuscated email addresses. A remote user can sort by obfuscated email addresses to disclose sensitive information.

6) Eval Injection (CVE-ID: CVE-2023-37909)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in Menu.UIExtensionSheet when processing user-controlled UIExtensionClass data from a user profile. A remote user can add a crafted UIExtensionClass object to their own profile and access the sheet to execute arbitrary code.

The issue can be exploited by a user who is able to edit their own user profile, and it also allows unrestricted read and write access to all wiki contents.

7) Cross-site request forgery (CVE-ID: CVE-2023-46242)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute content with the rights of the targeted user.

The vulnerability exists due to cross-site request forgery (CSRF) in the edit action when handling crafted edit URLs. A remote attacker can trick a user into following a crafted URL to execute content with the rights of the targeted user.

User interaction is required, and exploitation can lead to code execution if the targeted user has programming rights.

8) Cross-site request forgery (CVE-ID: CVE-2023-37277)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to cross-site request forgery in the REST API when handling POST requests with form-compatible content types. A remote attacker can cause the victim to submit a crafted request to execute arbitrary code.

User interaction with a user who has programming rights is required for code execution through script macros.

9) Incorrect Privilege Assignment (CVE-ID: CVE-2023-36468)

CWE-ID: CWE-266 - Incorrect Privilege Assignment

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to incorrect privilege assignment in old document revisions when accessing a vulnerable document revision through the rev URL parameter. A remote user can request an old vulnerable revision of a document to execute arbitrary code.

This affects upgraded installations and can also affect manually added script macros whose vulnerable versions remain in document history. Fresh installations are not affected, and content that is only loaded from the current version of a document is not affected.

10) Relative Path Traversal (CVE-ID: CVE-2023-37913)

CWE-ID: CWE-23 - Relative Path Traversal

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to relative path traversal in the office converter when processing an attachment with a specially crafted file name. A remote user can upload or rename an attachment to write its contents to an attacker-controlled location on the server to execute arbitrary code.

Exploitation requires the office conversion process to be running, and successful file writing depends on the Java process having write access to the target location.

11) Incorrect authorization (CVE-ID: CVE-2023-50732)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to execute a Velocity script without script right.

The vulnerability exists due to incorrect authorization in the document tree macro when rendering the document tree. A remote attacker can create a document with a crafted title containing Velocity code to execute a Velocity script without script right.

12) Incorrect authorization (CVE-ID: CVE-2023-46244)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to incorrect authorization in the title displayer API when executing velocity content in a script. A remote privileged user can create a document containing specially crafted velocity code to escalate privileges.

The issue allows velocity content to be executed with the rights of another document's content author.

13) Incorrect authorization (CVE-ID: CVE-2023-46243)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code with the rights of an existing document's content author.

The vulnerability exists due to incorrect authorization in the edit action when handling edit requests with user-supplied content. A remote user can send a specially crafted edit URL to execute arbitrary code with the rights of an existing document's content author.

Exploitation requires edit rights on a document whose content author has programming right or script right.

14) Eval Injection (CVE-ID: CVE-2023-36469)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary script macros.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in NotificationRSSService when generating the RSS feed from user-controlled profile and notification data. A remote user can inject crafted macro code into profile fields to execute arbitrary script macros.

This can lead to unrestricted read and write access to all wiki contents.

15) Eval Injection (CVE-ID: CVE-2023-40177)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary scripts with programming rights.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the AppWithinMinutes content field displayer when rendering the content field of a user profile page. A remote user can place crafted script content in their profile content field to execute arbitrary scripts with programming rights.

The issue affects cases where a wiki page, including a user profile page, is used as an AWM Content field and the content is executed with the rights of the AppWithinMinutes.Content author instead of the content author.

16) Eval Injection (CVE-ID: CVE-2023-37914)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the invitation application subject and message preview handling when processing user-supplied invitation subject or message content. A remote user can submit specially crafted macro content to execute arbitrary code.

The issue affects users who can view Invitation.WebHome, and exploitation can provide unrestricted read and write access to wiki contents.

17) Eval Injection (CVE-ID: CVE-2023-35152)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in like LiveTableResults when rendering a user's first name field. A remote user can place dangerous content in their first name field to escalate privileges.

The injected content can be executed with programming rights.

18) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-35157)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary script in the user's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in delattachment action when processing a forged delete attachment request with a specific attachment name. A remote privileged user can send a specially crafted request to execute arbitrary script in the user's browser.

Exploitation requires user interaction and is possible only if the attacker knows the user's CSRF token or if the user ignores the warning about the missing CSRF token.

19) Cross-site scripting (CVE-ID: CVE-2023-34464)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary actions with the victim's rights.

The vulnerability exists due to cross-site scripting in the displaycontent/rendercontent template when rendering plain HTML from an editable wiki document with plain output syntax. A remote user can place malicious HTML in a wiki document and trick the victim into visiting a crafted URL to execute arbitrary actions with the victim's rights.

User interaction is required, and exploitation depends on the victim visiting the document through the displaycontent or rendercontent template with plain output syntax.

20) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2023-35151)

CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of private personal information in the REST endpoint for XWiki user objects when handling requests for user object results. A remote attacker can send a request to the REST API to disclose sensitive information.

Email addresses are returned in clear text even when mail obfuscation is enabled.

21) Eval Injection (CVE-ID: CVE-2023-36470)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in icon themes when rendering icon sets from created or edited documents. A remote user can inject XWiki syntax and Velocity code to execute arbitrary code.

The injected code can be executed with programming rights, impacting the confidentiality, integrity, and availability of the whole XWiki instance.

22) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-36477)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary script code in users' browsers.

The vulnerability exists due to improper neutralization of script-related HTML tags in CKEditor javascript configuration pages when editing pages in the CKEditor space. A remote user can modify the javascript configuration to execute arbitrary script code in users' browsers.

User interaction is required to load the affected content.

23) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-40176)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in displayer_timezone.vm when displaying the time zone user preference in a user profile. A remote user can set a crafted time zone value through the profile save request to execute arbitrary script code in a victim's browser.

User interaction is required because a victim must visit the malicious user profile.

24) Improper Neutralization of Alternate XSS Syntax (CVE-ID: CVE-2023-35160)

CWE-ID: CWE-87 - Improper Neutralization of Alternate XSS Syntax

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to inject arbitrary JavaScript in the page.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the resubmit template when handling the xback and xcontinue URL parameters. A remote attacker can forge a URL with a crafted payload to inject arbitrary JavaScript in the page.

User interaction is required to open the crafted URL.

25) Improper Neutralization of Alternate XSS Syntax (CVE-ID: CVE-2023-35156)

CWE-ID: CWE-87 - Improper Neutralization of Alternate XSS Syntax

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to inject javascript in the page.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the delete template when processing the xredirect parameter. A remote attacker can send a specially crafted URL to inject javascript in the page.

User interaction is required to open the crafted URL.

26) Incorrect authorization (CVE-ID: CVE-2023-35166)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary wiki content with the rights of the TipsPanel author.

The vulnerability exists due to incorrect authorization in the TipsPanel UI extension handling when processing a crafted tip UI extension. A remote user can create a tip UI extension for the org.xwiki.platform.help.tipsPanel extension point to execute arbitrary wiki content with the rights of the TipsPanel author.

27) Open redirect (CVE-ID: CVE-2023-32068)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to redirect users to an untrusted site.

The vulnerability exists due to url redirection to an untrusted site in URL redirect handling when processing well known URL parameters. A remote attacker can supply a crafted redirect parameter value such as http:example.com to redirect users to an untrusted site.

User interaction is required for exploitation.

28) Insufficiently protected credentials (CVE-ID: CVE-2023-34465)

CWE-ID: CWE-522 - Insufficiently Protected Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information and modify mail configuration.

The vulnerability exists due to improper access control in Mail.MailConfig when handling edit requests. A remote user can edit the page to view and modify the mail sending configuration, including the SMTP domain name and credentials, to disclose sensitive information and modify mail configuration.

By default, any logged-in user with edit rights can exploit this issue.

29) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-35153)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in AppWithinMinutes.ClassEditSheet when rendering name parameters from a page title. A remote user can set a malicious payload in the title of a page with the AppWithinMinutes.FormFieldCategoryClass class and cause execution of arbitrary script code in a victim's browser.

User interaction is required when a victim visits /xwiki/bin/view/AppWithinMinutes/ClassEditSheet.

30) Improper Encoding or Escaping of Output (CVE-ID: CVE-2023-32071)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary JavaScript in the context of another user's session.

The vulnerability exists due to improper encoding or escaping of output in the importinline template when handling the editor parameter in a crafted URL targeting a page that contains an attachment. A remote user can send a specially crafted URL to execute arbitrary JavaScript in the context of another user's session.

User interaction is required to visit the crafted URL, and the target page must contain an attachment.

31) Incorrect authorization (CVE-ID: CVE-2023-32069)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to incorrect authorization in the XWiki.ClassSheet document handling when rendering a user profile containing a DocumentSheetBinding object bound to the Default Class Sheet. A remote user can add a DocumentSheetBinding object to their profile and inject crafted Groovy macro content to execute arbitrary code.

The code is executed with the rights of the author of the XWiki.ClassSheet document.

32) Improper Neutralization of Alternate XSS Syntax (CVE-ID: CVE-2023-35158)

CWE-ID: CWE-87 - Improper Neutralization of Alternate XSS Syntax

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to inject arbitrary JavaScript in the page.

The vulnerability exists due to improper neutralization of alternate XSS syntax in the restore template when handling the xredirect parameter in a crafted URL. A remote attacker can send a specially crafted URL to inject arbitrary JavaScript in the page.

User interaction is required to open the crafted URL.

33) Cross-site scripting (CVE-ID: CVE-2023-35155)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to inject arbitrary JavaScript in the page.

The vulnerability exists due to cross-site scripting in the share page target parameter when handling a forged URL. A remote attacker can send a specially crafted link to inject arbitrary JavaScript in the page.

User interaction is required to open the crafted link.

34) Missing Authorization (CVE-ID: CVE-2023-37910)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to disclose sensitive information and modify attachments.

The vulnerability exists due to missing authorization in attachment move support in org.xwiki.platform:xwiki-platform-attachment-api when moving attachments between documents. A remote user can move an attachment from another document to an attacker-controlled document to disclose sensitive information and modify attachments.

The source attachment name must be known, and the moved attachment is deleted from the source document.

35) Improper access control (CVE-ID: CVE-2023-29527)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code and escalate privileges.

The vulnerability exists due to improper access control in the AWM view sheet when viewing a document containing an AppWithinMinutes.LiveTableClass object. A remote user can add such an object to a document with script content and view the document to execute arbitrary code and escalate privileges.

36) Transmission of Private Resources into a New Sphere ('Resource Leak') (CVE-ID: CVE-2023-34467)

CWE-ID: CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to transmission of private resources into a new sphere in the live table REST response when handling user listing requests. A remote attacker can send a request to retrieve unobfuscated email addresses to disclose sensitive information.

The issue also allows filtering and sorting on unobfuscated email values, which can be used to infer email content even when displayed addresses are obfuscated.

37) Improper Encoding or Escaping of Output (CVE-ID: CVE-2023-29525)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper encoding or escaping of output in XWiki.Notifications.Code.LegacyNotificationAdministration when handling the since parameter. A remote user can send a specially crafted request to escalate privileges.

The issue allows privilege escalation from view right to programming rights through XWiki syntax injection.

38) Improper Encoding or Escaping of Output (CVE-ID: CVE-2023-29524)

CWE-ID: CWE-116 - Improper Encoding or Escaping of Output

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code with elevated privileges.

The vulnerability exists due to improper encoding or escaping of output in XWiki.SchedulerJobSheet when rendering a user profile containing a crafted XWiki.SchedulerJobClass object. A remote user can add a malicious job script to their profile and access the scheduler job sheet to execute arbitrary code with elevated privileges.

The issue can be triggered by a user without script or programming rights.

39) Eval Injection (CVE-ID: CVE-2023-35150)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the Invitation application when processing a crafted URL parameter in a view request. A remote user can craft a URL with a dangerous payload to execute arbitrary code.

The issue can be triggered by a user with view rights on any document.

40) Eval Injection (CVE-ID: CVE-2023-29523)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the display method used in user profiles when rendering a document field with wiki syntax. A remote user can edit their own user profile to execute arbitrary code.

The issue can also be exploited in other contexts where the display method on a document is used to display a field with wiki syntax, including applications created using App Within Minutes.

41) Eval Injection (CVE-ID: CVE-2023-29522)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWiki.ClassSheet when rendering a non-existing page with a crafted page name. A remote user can open a specially crafted URL to execute arbitrary code.

The issue can expose unrestricted read and write access to all wiki contents.

42) Eval Injection (CVE-ID: CVE-2023-29521)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in Macro.VFSTreeMacro when rendering the VFS Tree macro. A remote user can execute arbitrary Groovy, Python or Velocity code to execute arbitrary code.

The vulnerable page is not installed by default.

43) Information disclosure (CVE-ID: CVE-2023-34466)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the tags API when handling requests for tags on non-viewable pages. A remote user can query tags for non-viewable pages to disclose sensitive information.

The leaked information can also be used to infer the document reference of non-viewable pages.

44) Uncaught Exception (CVE-ID: CVE-2023-29520)

CWE-ID: CWE-248 - Uncaught Exception

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify translations.

The vulnerability exists due to uncaught exception in the wiki localization source when loading a corrupted document containing a translation object. A remote user can create such a document to modify translations.

45) Eval Injection (CVE-ID: CVE-2023-29518)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in Invitation.InvitationCommon when processing user-controlled content. A remote user can inject arbitrary Groovy, Python, or Velocity code to execute arbitrary code.

This page is installed by default.

46) Information disclosure (CVE-ID: CVE-2023-29517)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in the office document viewer macro when handling document viewing requests through a connected office server. A remote attacker can access file contents from the hosting server to disclose sensitive information.

The issue depends on the office server being connected, and the accessible data depends on the permissions of the user running the servlet engine hosting XWiki.

47) Eval Injection (CVE-ID: CVE-2023-29516)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the XWiki.AttachmentSelector page when processing the "Cancel and return to page" button input. A remote user can send a specially crafted value to execute arbitrary code.

This page is installed by default.

48) Incorrect Privilege Assignment (CVE-ID: CVE-2023-29515)

CWE-ID: CWE-266 - Incorrect Privilege Assignment

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to inject malicious JavaScript.

The vulnerability exists due to incorrect privilege assignment in App Within Minutes when creating an app. A remote user can create an app or directly open the CreateApplication wizard endpoint to inject malicious JavaScript.

The issue occurs because creating an app can grant space admin rights, which imply script rights.

49) Eval Injection (CVE-ID: CVE-2023-29514)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in template provider administration when processing document titles in the administration template listing. A remote user can set a crafted document title, add an XWiki.TemplateProviderClass object to a document they can edit, and access the administration templates sheet to execute arbitrary code.

Exploitation requires edit rights on a document and the ability to add a Template Provider Class object.

50) Improper access control (CVE-ID: CVE-2023-29513)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to create a new user account even when registration is disabled.

The vulnerability exists due to improper access control in the distribution/firstadminuser.wiki template macro when rendering the template in the wrong context. A remote user can invoke the template through a crafted request to create a new user account even when registration is disabled.

Exploitation requires guest view rights on at least one document, and on installations starting with XWiki 14.5 a valid CSRF token is also required.

51) Eval Injection (CVE-ID: CVE-2023-29512)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in imported.vm, importinline.vm, and packagelist.vm when loading information from attachments. A remote user can place crafted attachment content on a page they can edit to execute arbitrary code.

The affected page is installed by default, and successful exploitation can lead to full access to the XWiki installation.

52) Eval Injection (CVE-ID: CVE-2023-29511)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWiki.AdminFieldsDisplaySheet when processing section ids. A remote user can inject crafted section ids to execute arbitrary code.

The issue can lead to full access to the XWiki installation, and the affected page is installed by default.

53) Eval Injection (CVE-ID: CVE-2023-29510)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the localization script when processing user-scoped translations in privileged contexts without escaping. A remote user can add a crafted translation that overrides an existing translation to execute arbitrary code.

Exploitation requires edit access on at least one document, which can be the user's own profile where edit access is enabled by default.

54) Eval Injection (CVE-ID: CVE-2023-30537)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in FlamingoThemesCode.WebHomeSheet when rendering theme style properties from user-controlled objects. A remote user can add a crafted Theme Class object with malicious style content to execute arbitrary code.

The vulnerable page is installed by default, and exploitation requires the right to add an object on a page.

55) Eval Injection (CVE-ID: CVE-2023-29509)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the documentTree macro parameters in FlamingoThemesCode.WebHome when processing a crafted request URL. A remote user can supply crafted macro input to execute arbitrary code.

The issue can lead to privilege escalation from view rights to programming rights, resulting in full access to the XWiki installation.

56) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-29508)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in the Live Data macro when rendering user-controlled HTML content. A remote user can inject crafted content to execute arbitrary script in a victim's browser.

Exploitation requires user interaction and occurs if the last author of the page content has script rights.

57) Incorrect Use of Privileged APIs (CVE-ID: CVE-2023-29507)

CWE-ID: CWE-648 - Incorrect Use of Privileged APIs

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to incorrect use of privileged APIs in the Document script API when returning a DocumentAuthors object to scripts. A remote privileged user can set arbitrary document authors to escalate privileges.

This can lead to subsequent script executions being evaluated with the modified author for rights checking.

58) Cross-site scripting (CVE-ID: CVE-2023-29506)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary script code in the victim's browser.

The vulnerability exists due to cross-site scripting in authenticate endpoints when handling a crafted authenticate endpoint URL. A remote attacker can send a specially crafted URL to execute arbitrary script code in the victim's browser.

User interaction is required to open the crafted URL.

59) Incorrect authorization (CVE-ID: CVE-2024-38369)

CWE-ID: CWE-863 - Incorrect Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to impersonate the author of content using the include macro.

The vulnerability exists due to incorrect authorization in the include macro when executing content from an included document. A remote user can modify the target document to impersonate the author of content using the include macro.

The included content is executed with the rights of the includer instead of the rights of its author.

60) XML External Entity injection (CVE-ID: CVE-2023-27480)

CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper restriction of XML external entity reference in the XAR import package.xml parser when parsing a forged XAR file during import. A remote user can upload a specially crafted XAR file and trigger its import to disclose sensitive information.

Exploitation requires edit rights on a document and can expose the content of files on the XWiki server host.

61) Eval Injection (CVE-ID: CVE-2023-29214)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the IncludedDocuments panel when processing included page content. A remote user can edit a document containing crafted directives to execute arbitrary code.

Exploitation requires edit rights and the Panels.IncludedDocuments panel to be added on a column by an administrator.

62) Eval Injection (CVE-ID: CVE-2023-29213)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the logging administration interface when handling crafted logger_name parameters in requests to the LoggingAdmin page. A remote user can trick a user with programming rights into visiting a specially crafted URL to execute arbitrary code.

User interaction is required, and exploitation depends on a user with programming rights visiting the crafted URL.

63) Eval Injection (CVE-ID: CVE-2023-29212)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the IncludedPagesDocumentInformation included documents edit panel when rendering included pages. A remote user can edit a document containing specially crafted content to execute arbitrary code.

This can lead to full access to the XWiki installation.

64) Eval Injection (CVE-ID: CVE-2023-29211)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the WikiManager.DeleteWiki functionality when processing the wikiId URL parameter. A remote user can send a specially crafted request to execute arbitrary code.

Exploitation requires view rights on WikiManager.DeleteWiki.

65) Eval Injection (CVE-ID: CVE-2023-27479)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary Groovy, Python or Velocity code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in UIX parameter handling in PanelsCode.ApplicationsPanelConfigurationSheet when processing extension parameters. A remote user can add an XWiki.UIExtensionClass xobject with crafted extension parameters to execute arbitrary Groovy, Python or Velocity code.

Exploitation requires view rights.

66) Eval Injection (CVE-ID: CVE-2023-29210)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the notification preferences macros when processing the user parameter. A remote user can inject crafted macro input to execute arbitrary code.

The affected macros are used in user profiles and are installed by default in XWiki.

67) Eval Injection (CVE-ID: CVE-2023-29209)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the legacy notification activity macro when processing crafted macro parameters. A remote user can supply crafted macro input to execute arbitrary code.

The issue can be exploited through editable wiki pages, and it can also be reached with only view rights via the HTMLConverter in the bundled CKEditor integration.

68) Exposure of Resource to Wrong Sphere (CVE-ID: CVE-2023-29208)

CWE-ID: CWE-668 - Exposure of resource to wrong sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in deleted document view handling when viewing deleted documents. A remote attacker can access a deleted document containing view rights to disclose sensitive information.

Only deleted documents that contain view rights are affected; view rights provided on a space of a deleted document are properly checked.

69) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-29207)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary actions in the wiki.

The vulnerability exists due to improper neutralization of script-related html tags in the LiveTable Macro when rendering user-controlled column names. A remote user can inject crafted HTML or JavaScript through macro parameters to execute arbitrary actions in the wiki.

This issue is also exploitable via the Documents Macro and can be triggered in comments. User interaction is required by a user with more rights.

70) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-26480)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in the HTML displayer in the Live Data macro when rendering user-supplied HTML content. A remote user can inject a specially crafted Live Data entry to execute arbitrary script in a victim's browser.

User interaction is required to view the crafted content.

71) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-29205)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in the HTML macro when rendering user-supplied HTML content. A remote user can create content containing malicious script-related HTML tags to execute arbitrary script in a victim's browser.

In a standard wiki, any user is able to use the HTML macro directly in their own user profile page.

72) Open redirect (CVE-ID: CVE-2023-29204)

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to redirect users to an untrusted site.

The vulnerability exists due to url redirection to an untrusted site in redirect handling in xwiki-platform-oldcore when processing crafted redirect URLs. A remote attacker can supply a redirect value such as //mydomain.com or http:/mydomain.com to redirect users to an untrusted site.

User interaction is required.

73) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2023-29203)

CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to disclose private personal information.

The vulnerability exists due to improper access control in uorgsuggest.vm when requesting users on a subwiki that allows only global users. A remote attacker can send a crafted request to disclose private personal information.

Only hidden users from the main wiki are affected, and the disclosed information is limited to usernames and first and last names.

74) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2022-41936)

CWE-ID: CWE-359 - Exposure of Private Information ('Privacy Violation')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the modifications rest endpoint when handling requests. A remote attacker can send a request to disclose sensitive information.

Exposed information can include comments and page names that should be hidden from unauthorized users.

75) Information disclosure (CVE-ID: CVE-2022-41935)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information to an unauthorized actor in the LiveTable results endpoint when processing repeated Livetable queries for restricted documents. A remote attacker can send specially crafted queries to disclose sensitive information.

By iteratively refining query terms, an attacker can infer the existence of restricted documents and recover portions of their title, content, or XObject properties.

76) Cross-site scripting (CVE-ID: CVE-2023-29202)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

The vulnerability allows a remote user to execute arbitrary actions in the wiki.

The vulnerability exists due to cross-site scripting in the RSS macro HTML output when rendering feed item content from an attacker-controlled RSS feed with the content parameter set to true. A remote user can specify a malicious RSS feed to execute arbitrary actions in the wiki.

User interaction is required, and exploitation becomes particularly severe if a user with programming rights views the page.

77) Eval Injection (CVE-ID: CVE-2022-41934)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the menu macro when processing macro content and parameters. A remote user can inject crafted Groovy, Python, or Velocity code to execute arbitrary code.

The issue affects commonly accessible documents that include the menu macro and can lead to full access to the XWiki installation.

78) Missing Authorization (CVE-ID: CVE-2022-41937)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to modify any page of the wiki.

The vulnerability exists due to missing authorization in the filter stream converter application when importing a crafted XAR package. A remote user can import a crafted XAR package to modify any page of the wiki.

Exploitation requires view access.

79) Unprotected storage of credentials (CVE-ID: CVE-2022-41933)

CWE-ID: CWE-256 - Unprotected Storage of Credentials

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to plaintext storage of a password in the password reset feature when processing a forgotten password reset. A remote privileged user can trigger a password reset and obtain the password from the database to disclose sensitive information.

Only the reset password feature reachable from the "Forgot your password" link is affected, and the issue concerns users of the main wiki rather than subwiki users in farm deployments.

80) Resource exhaustion (CVE-ID: CVE-2022-41932)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in the login form when processing a crafted user identifier. A remote attacker can submit a crafted user identifier to cause a denial of service.

This issue affects deployments using PostgreSQL.

81) Eval Injection (CVE-ID: CVE-2022-41931)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary Groovy, Python or Velocity code in XWiki.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the icon picker macro when processing macro parameters. A remote user can supply crafted macro parameter values to execute arbitrary Groovy, Python or Velocity code in XWiki.

Exploitation requires view rights on commonly accessible documents that include the icon picker macro.

82) Missing Authorization (CVE-ID: CVE-2022-41929)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to modify user account status.

The vulnerability exists due to missing authorization in User#setDisabledStatus when handling requests to enable or disable a user. A remote privileged user can invoke the affected method to modify user account status.

Only users with Script rights can exploit this issue, even though enabling or disabling users should require admin rights.

83) Missing Authorization (CVE-ID: CVE-2022-41930)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to enable or disable user profiles.

The vulnerability exists due to missing authorization in XWiki.XWikiUserProfileSheet when handling requests to change user profile status. A remote attacker can send a crafted request to enable or disable any user profile.

This can allow a disabled user to re-enable themselves.

84) Eval Injection (CVE-ID: CVE-2022-41928)

CWE-ID: CWE-95 - Eval Injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in AttachmentSelector.xml when rendering attachment metadata or macro properties. A remote user can supply a crafted attachment name or crafted macro property values to execute arbitrary code.

The issue can be triggered through the width, height, or alt properties of the attachmentSelector macro, and can also be reached through attachment renaming in a user profile.

85) Cross-site request forgery (CVE-ID: CVE-2022-41927)

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to delete or rename tags.

The vulnerability exists due to cross-site request forgery (CSRF) in the tag UI when handling requests to delete or rename tags. A remote attacker can send a specially crafted request to delete or rename tags.

User interaction is required.

Remediation

Install update from vendor's website.

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8
• https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8xhr-x3v8-rghj
• https://github.com/xwiki/xwiki-platform/commit/fcdcfed3fe2e8a3cad66ae0610795a2d58ab9662
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6m
• https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33
• https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523f
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g9w4-prf3-m25g
• https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v2rr-xw95-wcjx
• https://github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773be
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hgpw-6p4h-j6h5
• https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6
• https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8q9q-r9v2-644m
• https://github.com/xwiki/xwiki-platform/commit/15a6f845d8206b0ae97f37aa092ca43d4f9d6e59
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vcvr-v426-3m3m
• https://github.com/xwiki/xwiki-platform/commit/45d182a4141ff22f3ff289cf71e4669bdc714544
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5f8-qf24-24cj
• https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rmxw-c48h-2vf5
• https://github.com/xwiki/xwiki-platform/commit/11a9170dfe63e59f4066db67f84dbfce4ed619c6
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5w
• https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-94pf-92hw-2hjc
• https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5mf8-v43w-mfxp
• https://github.com/xwiki/xwiki-platform/commit/dfb1cde173e363ca5c12eb3654869f9719820262
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7954-6m9q-gpvf
• https://github.com/xwiki/xwiki-platform/commit/ff1d8a1790c6ee534c6a4478360a06efeb2d3591
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm
• https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-phwm-87rg-27qq
• https://github.com/xwiki/xwiki-platform/commit/35e9073ffec567861e0abeea072bd97921a3decf
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp7h-f9f5-x4q7
• https://github.com/xwiki/xwiki-platform/commit/53e8292a31ec70fba5e1d705a4ac443658b9e6df
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8g9c-c9cm-9c56
• https://github.com/xwiki/xwiki-platform/commit/824cd742ecf5439971247da11bfe7e0ad2b10ede
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fm68-j7ww-h9xf
• https://github.com/xwiki/xwiki-platform/commit/b0cdfd893912baaa053d106a92e39fa1858843c7
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-793w-g325-hrw2
• https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h8cm-3v5f-rgp6
• https://github.com/xwiki/xwiki-platform/commit/d11ca5d781f8a42a85bc98eb82306c1431e764d4
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r8xc-xxh3-q5x3
• https://github.com/xwiki/xwiki-platform/commit/dbc92dcdace33823ffd1e1591617006cb5fc6a7f
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-834c-x29c-f42c
• https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d2dffac9ee1
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h7cw-44vp-jq7h
• https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c28b3263#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6gvj-8vc5-8v3j
• https://jira.xwiki.org/browse/XWIKI-20549
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc
• https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4wc6-hqv9-qc97
• https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j9h5-vcgv-2jfm
• https://github.com/xwiki/xwiki-platform/commit/28905f7f518cc6f21ea61fe37e9e1ed97ef36f01
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-36fm-j33w-c25f
• https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mwxj-g7fw-7hc8
• https://github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fwwj-wg89-7h4c
• https://github.com/xwiki/xwiki-platform/commit/ca88ebdefb2c9fa41490959cce9f9e62404799e7
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rwwx-6572-mp29
• https://github.com/xwiki/xwiki-platform/commit/d7720219d60d7201c696c3196c9d4a86d0881325
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgrg-qvpp-9vwr
• https://jira.xwiki.org/browse/XWIKI-20423
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7vr7-cghh-ch63
• https://jira.xwiki.org/browse/XWIKI-20333
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgg7-w2rj-58cj
• https://github.com/xwiki/xwiki-platform/commit/8e7c7f90f2ddaf067cb5b83b181af41513028754
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fc42-5w56-qw7h
• https://github.com/advisories/GHSA-fc42-5w56-qw7h
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w
• https://jira.xwiki.org/browse/XWIKI-20285
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x764-ff8r-9hpx
• https://github.com/xwiki/xwiki-platform/commit/0d547181389f7941e53291af940966413823f61c
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mjw9-3f9f-jq2w
• https://github.com/xwiki/xwiki-platform/commit/d7e56185376641ee5d66477c6b2791ca8e85cfee
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p67q-h88v-5jgr
• https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7f2f-pcv3-j2r7
• https://jira.xwiki.org/browse/XWIKI-20002
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9jq5-xwqw-q8j3
• https://jira.xwiki.org/browse/XWIKI-20460
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-px54-3w5j-qjg9
• https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m3c3-9qj7-7xmx
• https://jira.xwiki.org/browse/XWIKI-20447
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3989-4c6x-725f
• https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-44h9-xxvx-pg6x
• https://github.com/xwiki/xwiki-platform/commit/e73b890623efa604adc484ad82f37e31596fe1a6
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9j36-3cp4-rh4j
• https://github.com/xwiki/xwiki-platform/commit/7bf7094f8ffac095f5d66809af7554c9cc44de09
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp36-mjw5-fmgx
• https://jira.xwiki.org/browse/XWIKI-19852
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hg5x-3w3x-7g96
• https://github.com/xwiki/xwiki-platform/commit/e4bbdc23fea0be4ef1921d1a58648028ce753344
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rfh6-mg6h-h668
• https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4v38-964c-xjmw
• https://github.com/xwiki/xwiki-platform/commit/d06ff8a58480abc7f63eb1d4b8b366024d990643
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vrr8-fp7c-7qgp
• https://github.com/xwiki/xwiki-platform/commit/df596f15368342236f8899ca122af8f3df0fe2e8
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f4v8-58f6-mwj4
• https://github.com/xwiki/xwiki-platform/commit/80d5be36f700adcd56b6c8eb3ed8b973f62ec0ae
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
• https://jira.xwiki.org/browse/XWIKI-20312
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-pwfv-3cvg-9m4c
• https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2
• https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj3-wpgm-qpxh
• https://jira.xwiki.org/browse/XWIKI-5027
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx4f-976g-7g6v
• https://github.com/xwiki/xwiki-platform/commit/e3527b98fdd8dc8179c24dc55e662b2c55199434
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qx9h-c5v6-ghqh
• https://github.com/xwiki/xwiki-platform/commit/50b4d91418b4150933f0317eb4a94ceaf5b69f67
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4655-wh7v-3vmg
• https://github.com/xwiki/xwiki-platform/commit/49fdfd633ddfa346c522d2fe71754dc72c9496ca
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5f4-p5wv-2475
• https://github.com/xwiki/xwiki-platform/commit/22f249a0eb9f2a64214628217e812a994419b69f#diff-a51a252f0190274464027342b4e3eafc4ae32de4d9c17ef166e54fc5454c5689R214-R217
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4
• https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qxjg-jhgw-qhrv
• https://github.com/xwiki/xwiki-platform/commit/6de5442f3c91c3634a66c7b458d5b142e1c2a2dc
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p9mj-v5mf-m82x
• https://github.com/xwiki/xwiki-platform/commit/cebf9167e4fd64a8777781fc56461e9abbe0b32a
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9pc2-x9qf-7j2q
• https://github.com/xwiki/xwiki-platform/commit/94392490884635c028199275db059a4f471e57bc
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8g-fq6x-jqrr
• https://github.com/xwiki/xwiki-platform/commit/d9e947559077e947315bf700c5703dfc7dd8a8d7
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6vgh-9r3c-2cxp
• https://github.com/xwiki/xwiki-platform/commit/65ca06c51e7a1d5a579344c7272b2cc9a9a21126
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
• https://jira.xwiki.org/browse/XWIKI-20143
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vxf7-mx22-jr24
• https://jira.xwiki.org/browse/XWIKI-18568
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xwph-x6xj-wggv
• https://github.com/xwiki/xwiki-platform/commit/e4f7f68e93cb08c25632c126356d218abf192d1e#diff-c445f288d5d63424f56ef13f65514ab4e174a72e979b53b88197c2b7def267cf
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vvp7-r422-rx83
• https://jira.xwiki.org/browse/XWIKI-20007
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p88w-fhxw-xvcc
• https://github.com/xwiki/xwiki-platform/commit/38dc1aa1a4435f24d58f5b8e4566cbcb0971f8ff
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p2x4-6ghr-6vmq
• https://github.com/xwiki/xwiki-platform/commit/1450b6e3c69ac7df25e5a2571186d1f43402facd#diff-5a739e5865b1f1ad9d79b724791be51b0095a0170cc078911c940478b13b949a
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c885-89fw-55qr
• https://github.com/xwiki/xwiki-platform/commit/5c7ebe47c2897e92d8f04fe2e15027e84dc3ec03
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6w8h-26xx-cf8q
• https://github.com/xwiki/xwiki-platform/commit/2fc20891e6c6b0ca05ee07e315e7f435e8919f8d
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q6jp-gcww-8v2j
• https://github.com/xwiki/xwiki-platform/commit/fb49b4f289ee28e45cfada8e97e320cd3ed27113
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q2hm-2h45-v5g3
• https://github.com/xwiki/xwiki-platform/commit/443e8398b75a1295067d74afb5898370782d863a
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4x5r-6v26-7j4v
• https://jira.xwiki.org/browse/XWIKI-19886
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5j7g-cf6r-g2h7
• https://github.com/xwiki/xwiki-platform/commit/47eb8a5fba550f477944eb6da8ca91b87eaf1d01
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2gj2-vj98-j2qq
• https://github.com/xwiki/xwiki-platform/commit/0b732f2ef0224e2aaf10e2e1ef48dbd3fb6e10cd
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-p5v9-g8w8-5q4v
• https://github.com/xwiki/xwiki-platform/commit/5be1cc0adf917bf10899c47723fa451e950271fa
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9hqh-fmhg-vq2j
• https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mq7h-5574-hw9f
• https://github.com/xwiki/xwiki-platform/commit/7fd4cda0590180c4d34f557597e9e10e263def9e