Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-9u66-jyf4-7yc4

Summary

org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints
It was possible to inject some code using the URL of authenticate endpoints, e.g. `https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword`

Aliases

alias	CVE-2023-29506

alias	GHSA-jjm5-5v9v-7hx2

Fixed_packages

url	pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@13.10.11
purl	pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@13.10.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@13.10.11

url	pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.4.7
purl	pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.4.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.4.7

url	pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.10
purl	pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.10
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.10

Affected_packages

url pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@13.10.8

purl pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@13.10.8

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9u66-jyf4-7yc4

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@13.10.8

url pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.4.3

purl pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.4.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9u66-jyf4-7yc4

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.4.3

url pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.6

purl pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9u66-jyf4-7yc4

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default@14.6

References

reference_url	https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380
reference_id
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380

reference_url	https://jira.xwiki.org/browse/XWIKI-20335
reference_id
reference_type
scores
url	https://jira.xwiki.org/browse/XWIKI-20335

reference_url	https://github.com/advisories/GHSA-jjm5-5v9v-7hx2
reference_id	GHSA-jjm5-5v9v-7hx2
reference_type
scores
url	https://github.com/advisories/GHSA-jjm5-5v9v-7hx2

reference_url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2
reference_id	GHSA-jjm5-5v9v-7hx2
reference_type
scores
url	https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2

Weaknesses

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9u66-jyf4-7yc4

Vulnerability Instance