Описание
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.
Ссылки
- Patch
- ExploitPatchVendor Advisory
- ExploitIssue Tracking
- ExploitIssue Tracking
- ExploitIssue TrackingPermissions Required
- Patch
- ExploitPatchVendor Advisory
- ExploitIssue Tracking
- ExploitIssue Tracking
- ExploitIssue TrackingPermissions Required
Уязвимые конфигурации
Конфигурация 1Версия от 3.0 (исключая) до 14.8 (включая)
Одно из
cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:3.0:-:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:3.0:milestone_2:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:3.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:3.0:rc1:*:*:*:*:*:*
EPSS
Процентиль: 91%
0.06345
Низкий
9 Critical
CVSS3
5.4 Medium
CVSS3
Дефекты
CWE-79
Связанные уязвимости
CVSS3: 9
github
почти 3 года назад
org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
EPSS
Процентиль: 91%
0.06345
Низкий
9 Critical
CVSS3
5.4 Medium
CVSS3
Дефекты
CWE-79