Описание
org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
Impact
It was possible to inject some code using the URL of authenticate endpoints, e.g.:
This vulnerability was present in recent versions of XWiki:
- 13.10.8+
- 14.4.3+
- 14.6+
Patches
This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
Workarounds
There is no easy workaround except to upgrade.
References
- https://jira.xwiki.org/browse/XWIKI-20335
- https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at security mailing-list
Пакеты
org.xwiki.platform:xwiki-platform-security-authentication-default
>= 13.10.8, < 13.10.11
13.10.11
org.xwiki.platform:xwiki-platform-security-authentication-default
>= 14.4.3, < 14.4.7
14.4.7
org.xwiki.platform:xwiki-platform-security-authentication-default
>= 14.6, < 14.10
14.10
Связанные уязвимости
XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.