Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/com.xwiki.identity-oauth/identity-oauth-ui@1.6
Typemaven
Namespacecom.xwiki.identity-oauth
Nameidentity-oauth-ui
Version1.6
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-127w-r1ud-f7g4
vulnerability_id VCID-127w-r1ud-f7g4
summary 
Improper Control of Generation of Code ('Code Injection')
com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade.
references
0
reference_url https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58
reference_id
reference_type
scores
url https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58
1
reference_url https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6
reference_id
reference_type
scores
url https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6
2
reference_url https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188
reference_id
reference_type
scores
url https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188
3
reference_url https://jira.xwiki.org/browse/XWIKI-20719
reference_id
reference_type
scores
url https://jira.xwiki.org/browse/XWIKI-20719
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-45144
reference_id CVE-2023-45144
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-45144
5
reference_url https://github.com/advisories/GHSA-h2rm-29ch-wfmh
reference_id GHSA-h2rm-29ch-wfmh
reference_type
scores
url https://github.com/advisories/GHSA-h2rm-29ch-wfmh
6
reference_url https://github.com/xwikisas/identity-oauth/security/advisories/GHSA-h2rm-29ch-wfmh
reference_id GHSA-h2rm-29ch-wfmh
reference_type
scores
url https://github.com/xwikisas/identity-oauth/security/advisories/GHSA-h2rm-29ch-wfmh
fixed_packages
0
url pkg:maven/com.xwiki.identity-oauth/identity-oauth-ui@1.6
purl pkg:maven/com.xwiki.identity-oauth/identity-oauth-ui@1.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/com.xwiki.identity-oauth/identity-oauth-ui@1.6
aliases CVE-2023-45144, GHSA-h2rm-29ch-wfmh
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-127w-r1ud-f7g4
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/com.xwiki.identity-oauth/identity-oauth-ui@1.6