A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor. The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content. The payload is executed at edit time.
By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a XWiki instance, a user with admin rights needs to edit a document without saving right away. Then, as another user without any other right than …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In org.xwiki.platform:xwiki-platform-web versions 7.2-milestone-2 until 14.10.12 and org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.12 and 15.5-rc-1, it is possible to pass a title to the page creation action that isn't displayed at first but then executed in the second step. This can be used by an attacker to trick a victim to execute code, allowing …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. org.xwiki.platform:xwiki-platform-web starting in version 3.1-milestone-1 and prior to 13.4-rc-1, org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.2 and 15.5-rc-1, and org.xwiki.platform:xwiki-web-standard starting in version 2.4-milestone-2 and prior to version 3.1-milestone-1 is vulnerable to cross-site scripting. An attacker can create a template provider on any document that is part of the wiki (could be the attacker's user …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. org.xwiki.platform:xwiki-platform-web starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.12 and 15.5-rc-1, is vulnerable to cross-site scripting. When trying to create a document that already exists, XWiki displays an error message in the form for creating it. Due to missing escaping, this error message is …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When document names are validated according to a name strategy (disabled by default), XWiki starting in version 12.0-rc-1 and prior to versions 12.10.12 and 15.5-rc-1 is vulnerable to a reflected cross-site scripting attack in the page creation form. This allows an attacker to execute arbitrary actions with the rights of the user opening …
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in org.xwiki.platform:xwiki-platform-web-templates.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/XWiki/Main xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain). This vulnerability exists since XWiki 2.5-milestone-2. The vulnerability has been patched in XWiki 14.10.5 and …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 3.4-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-site scripting attack. The attack occurs by putting plain HTML code into …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm, and packagelist.vm. This page is installed by …
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the distribution/firstadminuser.wiki in the wrong context. This vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.1. There is no known workaround other than upgrading.
Impact It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last name of users, no other information is leaked. Patches The problem has been patched on XWiki 13.10.8, 14.4.3 and 14.7RC1. Workarounds …
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in org.xwiki.platform:xwiki-platform-web-templates.
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. Through the suggestion feature, string and list properties of objects the user shouldn't have access to can be accessed in versions prior to 13.10.4 and 14.2. This includes private personal information like email addresses and salted password hashes of registered users but also other information stored in properties of objects. Sensitive configuration fields like passwords for LDAP …
XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki platform. By passing a template of the distribution wizard to the xpart template, user accounts can be created even when user registration is disabled. This also circumvents any email verification. Before versions 14.2 and 13.10.4, this can also be exploited on a private wiki, thus potentially giving the attacker access to the wiki. Depending on the configured default …
XWiki Platform is a generic wiki platform. Prior to versions 13.10.5 and 14.3, it is possible to perform a Cross-Site Request Forgery (CSRF) attack for adding or removing tags on XWiki pages. The problem has been patched in XWiki 13.10.5 and 14.3. As a workaround, one may locally modify the documentTags.vm template in one's filesystem, to apply the changes exposed there.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A guest user without the right to view pages of the wiki can still list documents related to users of the wiki. The problem has been patched in XWiki versions 12.10.11, 13.4.4, and 13.9-rc-1. There is no known workaround for this problem.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.This template is only used in the following conditions: The wiki must be open to registration for anyone. The wiki must be closed to view for Guest users or more specifically the XWiki.Registration page must be forbidden in View for guest user. A way to obtain the second condition is when administrators checked the …