cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-31996,https://securityvulnerability.io/vulnerability/CVE-2024-31996,XWiki Platform Vulnerability Affects Remote Code Execution,"The XWiki Platform contains a vulnerability in its HTML escaping tool, which fails to appropriately escape the `{` character. This oversight potentially allows for XWiki syntax injection, resulting in remote code execution by an attacker. The issue exists in XWiki versions 3.0.1 and prior to 4.10.19, 15.5.4, and 15.10-rc-1. To remediate the vulnerability, users are advised to upgrade to the patched versions. Alternatively, a temporary fix involves replacing `$escapetool.html` with `$escapetool.xml` within specific XWiki documents. Notably, the panel document `Panels.PanelLayoutUpdate` has been identified as one that exposes this vulnerability, but other extensions may also be susceptible and could require attention.",Xwiki,Xwiki-commons,9.8,CRITICAL,0.0029700000304728746,false,false,false,false,,false,false,2024-04-10T20:46:19.929Z,0
CVE-2023-36471,https://securityvulnerability.io/vulnerability/CVE-2023-36471,HTML sanitizer allows form elements in restricted in org.xwiki.commons:xwiki-commons-xml,"XWiki Commons contains a vulnerability in its HTML sanitizer that permits unauthorized users to introduce HTML form elements, potentially leading to phishing attacks and remote code execution. This issue arises from the improper handling of form-related HTML tags, allowing attackers to craft malicious inputs that may be executed by an unsuspecting administrator. Although this vulnerability is mitigated in versions 14.10.6 and 15.2RC1, users are strongly encouraged to upgrade or manually adjust the configuration to prevent exploitation by prohibiting the use of specific HTML elements.",Xwiki,Xwiki-commons,9.1,CRITICAL,0.0014100000262260437,false,false,false,false,,false,false,2023-06-29T20:15:00.000Z,0
CVE-2023-31126,https://securityvulnerability.io/vulnerability/CVE-2023-31126,Improper Neutralization of Invalid Characters in Data Attribute Names in org.xwiki.commons:xwiki-commons-xml,"A vulnerability exists in the xwiki-commons-xml library, which is part of the XWiki platform. The HTML sanitizer, introduced in version 14.6-rc-1, is susceptible to cross-site scripting due to the handling of invalid data attributes. Attackers can exploit this weakness by injecting arbitrary HTML code. Although restricted cleaning is effective in HTMLCleaner, allowing only permitted characters for data attributes has been implemented in versions 14.10.4 and 15.0 RC1. Users are urged to upgrade to these versions as no other workarounds are available.",xwiki,xwiki-commons,9.6,CRITICAL,0.0037299999967217445,false,false,false,false,,false,false,2023-05-09T13:15:00.000Z,0
CVE-2023-29528,https://securityvulnerability.io/vulnerability/CVE-2023-29528,Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml,"XWiki Commons has a vulnerability in its 'restricted' mode of the HTML cleaner that permits the injection of arbitrary HTML code through invalid HTML comments. This issue arises when a privileged user, who has programming rights, interacts with the malicious comment, leading to JavaScript execution within the user's session. The implications of this vulnerability could compromise the confidentiality, integrity, and availability of the XWiki instance. A fix was introduced in version 14.10, where the HTML comments are now sanitized in 'restricted' mode, and checks have been added to prevent starting comments with specific characters. Users are advised to upgrade to this version to mitigate potential risks.",xwiki,xwiki-commons,9,CRITICAL,0.003819999983534217,false,false,false,false,,false,false,2023-04-20T18:15:00.000Z,0
CVE-2023-29201,https://securityvulnerability.io/vulnerability/CVE-2023-29201,org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability,"The restricted mode in the HTML cleaner of XWiki Commons, introduced in version 4.2-milestone-1, fails to adequately escape certain HTML attributes, allowing for malicious JavaScript code injection. This vulnerability can be exploited if a privileged user with programming rights visits a harmful comment in XWiki, resulting in the execution of the injected JavaScript within the user session. This raises significant concerns about server-side code execution and can compromise the confidentiality, integrity, and availability of the XWiki instance. The issue has been addressed in XWiki version 14.6 RC1, which implements a more robust filter to allow only specified HTML elements and attributes in restricted mode. Users are encouraged to upgrade to patched versions to mitigate the risks.",xwiki,xwiki-commons,9,CRITICAL,0.004490000195801258,false,false,false,false,,false,false,2023-04-15T15:15:00.000Z,0
CVE-2023-26055,https://securityvulnerability.io/vulnerability/CVE-2023-26055,XWiki Commons may allow privilege escalation to programming rights via user's first name,"A vulnerability in XWiki Commons allows unauthorized users to inject and execute code by modifying their profile. This flaw, affecting versions starting from 3.1-milestone-1, can also be exploited in applications using short text properties, enabling potential execution of malicious code. Affected users should upgrade to versions 13.10.9, 14.4.4, or 14.7RC1 to mitigate risks.",xwiki,xwiki-commons,9.9,CRITICAL,0.0035600000992417336,false,false,false,false,,false,false,2023-03-02T19:15:00.000Z,0
CVE-2022-24897,https://securityvulnerability.io/vulnerability/CVE-2022-24897,Arbitrary filesystem write access from Velocity,"APIs to evaluate content with Velocity is a package for APIs to evaluate content with Velocity. Starting with version 2.3 and prior to 12.6.7, 12.10.3, and 13.0, the velocity scripts are not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Writing an attacking script in Velocity requires the Script rights in XWiki so not all users can use it, and it also requires finding an XWiki API which returns a File. The problem has been patched in versions 12.6.7, 12.10.3, and 13.0. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.",Xwiki,Xwiki-commons,7.5,HIGH,0.004559999797493219,false,false,false,false,,false,false,2022-05-02T21:49:17.000Z,0
CVE-2022-24898,https://securityvulnerability.io/vulnerability/CVE-2022-24898,Arbitrary file access through XML parsing in org.xwiki.commons:xwiki-commons-xml,"org.xwiki.commons:xwiki-commons-xml is a common module used by other XWiki top level projects. Starting in version 2.7 and prior to versions 12.10.10, 13.4.4, and 13.8-rc-1, it is possible for a script to access any file accessing to the user running XWiki application server with XML External Entity Injection through the XML script service. The problem has been patched in versions 12.10.10, 13.4.4, and 13.8-rc-1. There is no easy workaround for fixing this vulnerability other than upgrading and being careful when giving Script rights.",Xwiki,Xwiki-commons,4.9,MEDIUM,0.0021899999119341373,false,false,false,false,,false,false,2022-04-28T19:35:10.000Z,0