Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@14.10.5

Type maven

Namespace org.xwiki.platform

Name xwiki-platform-appwithinminutes-ui

Version 14.10.5

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 15.0

Latest_non_vulnerable_version 15.1-rc-1

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-qth5-3ufg-bucx

vulnerability_id VCID-qth5-3ufg-bucx

summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as: > xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.2-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.

references

reference_url	https://github.com/xwiki/xwiki-platform/commit/8f5a889b7cd140770e54f5b4195d88058790e305
reference_id
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/commit/8f5a889b7cd140770e54f5b4195d88058790e305

reference_url	https://jira.xwiki.org/browse/XWIKI-20583
reference_id
reference_type
scores
url	https://jira.xwiki.org/browse/XWIKI-20583

reference_url	https://jira.xwiki.org/browse/XWIKI-20614
reference_id
reference_type
scores
url	https://jira.xwiki.org/browse/XWIKI-20614

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-35161
reference_id	CVE-2023-35161
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-35161

reference_url	https://github.com/advisories/GHSA-4xm7-5q79-3fch
reference_id	GHSA-4xm7-5q79-3fch
reference_type
scores
url	https://github.com/advisories/GHSA-4xm7-5q79-3fch

reference_url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4xm7-5q79-3fch
reference_id	GHSA-4xm7-5q79-3fch
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4xm7-5q79-3fch

fixed_packages

url	pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@14.10.5
purl	pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@14.10.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@14.10.5

url	pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@15.1-rc-1
purl	pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@15.1-rc-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@15.1-rc-1

aliases CVE-2023-35161, GHSA-4xm7-5q79-3fch

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qth5-3ufg-bucx

url VCID-rfw8-d1zs-ruck

vulnerability_id VCID-rfw8-d1zs-ruck

summary

XWiki Platform privilege escalation (PR) from account through AWM content fields
Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation.

references

reference_url	https://github.com/xwiki/xwiki-platform/commit/dfb1cde173e363ca5c12eb3654869f9719820262
reference_id
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/commit/dfb1cde173e363ca5c12eb3654869f9719820262

reference_url	https://jira.xwiki.org/browse/XWIKI-7369
reference_id
reference_type
scores
url	https://jira.xwiki.org/browse/XWIKI-7369

reference_url	https://github.com/advisories/GHSA-5mf8-v43w-mfxp
reference_id	GHSA-5mf8-v43w-mfxp
reference_type
scores
url	https://github.com/advisories/GHSA-5mf8-v43w-mfxp

reference_url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5mf8-v43w-mfxp
reference_id	GHSA-5mf8-v43w-mfxp
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5mf8-v43w-mfxp

fixed_packages

url	pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@14.10.5
purl	pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@14.10.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@14.10.5

aliases CVE-2023-40177, GHSA-5mf8-v43w-mfxp

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rfw8-d1zs-ruck

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui@14.10.5

Package Instance