Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-hmm7-6ph9-8jf2

Опубликовано: 12 апр. 2023
Источник: github
Github: Прошло ревью
CVSS3: 8.9

Описание

org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting

Impact

A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.

For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.

{{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}}

Patches

This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

Workarounds

No known workaround.

References

For more information

If you have any questions or comments about this advisory:

Ссылки

Пакеты

Наименование

org.xwiki.platform:xwiki-platform-livedata-macro

maven
Затронутые версииВерсия исправления

>= 13.10.10, < 13.10.11

13.10.11

Наименование

org.xwiki.platform:xwiki-platform-livedata-macro

maven
Затронутые версииВерсия исправления

>= 14.4, < 14.4.7

14.4.7

Наименование

org.xwiki.platform:xwiki-platform-livedata-macro

maven
Затронутые версииВерсия исправления

>= 14.9, < 14.10

14.10

EPSS

Процентиль: 71%
0.00689
Низкий

8.9 High

CVSS3

CVE ID

CVE-2023-29508

Дефекты

CWE-79
CWE-80

Связанные уязвимости

nvd логотип

CVE-2023-29508

CVSS3: 8.9
nvd
почти 3 года назад

XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

EPSS

Процентиль: 71%
0.00689
Низкий

8.9 High

CVSS3

CVE ID

CVE-2023-29508

Дефекты

CWE-79
CWE-80