Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10.6

Type maven

Namespace org.xwiki.platform

Name xwiki-platform-oldcore

Version 14.10.6

Qualifiers

Subpath

Is_vulnerable false

Next_non_vulnerable_version 14.10.7

Latest_non_vulnerable_version 15.10-rc-1

Affected_by_vulnerabilities

Fixing_vulnerabilities

url VCID-9pzc-wwmb-9ba9

vulnerability_id VCID-9pzc-wwmb-9ba9

summary

XWiki Platform vulnerable to privilege escalation and remote code execution via the edit action
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+ Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. Users are advised to update. There are no known workarounds for this issue.

references

reference_url	https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4
reference_id
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4

reference_url	https://jira.xwiki.org/browse/XWIKI-20385
reference_id
reference_type
scores
url	https://jira.xwiki.org/browse/XWIKI-20385

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-46243
reference_id	CVE-2023-46243
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-46243

reference_url	https://github.com/advisories/GHSA-g2qq-c5j9-5w5w
reference_id	GHSA-g2qq-c5j9-5w5w
reference_type
scores
url	https://github.com/advisories/GHSA-g2qq-c5j9-5w5w

reference_url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5w
reference_id	GHSA-g2qq-c5j9-5w5w
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5w

fixed_packages

url	pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10.6
purl	pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10.6

url	pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@15.2-rc-1
purl	pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@15.2-rc-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@15.2-rc-1

aliases CVE-2023-46243, GHSA-g2qq-c5j9-5w5w

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9pzc-wwmb-9ba9

url VCID-k3dm-pjf6-p3b8

vulnerability_id VCID-k3dm-pjf6-p3b8

summary

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6.

references

reference_url	https://github.com/xwiki/xwiki-platform/commit/35e9073ffec567861e0abeea072bd97921a3decf
reference_id
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/commit/35e9073ffec567861e0abeea072bd97921a3decf

reference_url	https://jira.xwiki.org/browse/XWIKI-20339
reference_id
reference_type
scores
url	https://jira.xwiki.org/browse/XWIKI-20339

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2023-35157
reference_id	CVE-2023-35157
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2023-35157

reference_url	https://github.com/advisories/GHSA-phwm-87rg-27qq
reference_id	GHSA-phwm-87rg-27qq
reference_type
scores
url	https://github.com/advisories/GHSA-phwm-87rg-27qq

reference_url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-phwm-87rg-27qq
reference_id	GHSA-phwm-87rg-27qq
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-phwm-87rg-27qq

fixed_packages

url	pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10.6
purl	pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10.6

url	pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@15.1-rc-1
purl	pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@15.1-rc-1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@15.1-rc-1

aliases CVE-2023-35157, GHSA-phwm-87rg-27qq

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k3dm-pjf6-p3b8

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-oldcore@14.10.6

Package Instance