Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7
Typemaven
Namespaceorg.xwiki.platform
Namexwiki-platform-livedata-macro
Version14.4.7
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version14.10
Latest_non_vulnerable_version14.10
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-16tw-rke6-7bdp
vulnerability_id VCID-16tw-rke6-7bdp
summary 
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.
references
0
reference_url https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79
reference_id
reference_type
scores
url https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79
1
reference_url https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028
reference_id
reference_type
scores
url https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028
2
reference_url https://jira.xwiki.org/browse/XWIKI-20143
reference_id
reference_type
scores
url https://jira.xwiki.org/browse/XWIKI-20143
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-26480
reference_id CVE-2023-26480
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-26480
4
reference_url https://github.com/advisories/GHSA-32fq-m2q5-h83g
reference_id GHSA-32fq-m2q5-h83g
reference_type
scores
url https://github.com/advisories/GHSA-32fq-m2q5-h83g
5
reference_url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
reference_id GHSA-32fq-m2q5-h83g
reference_type
scores
url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
fixed_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@13.10.10
purl pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@13.10.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cawb-zpmc-b3dp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@13.10.10
1
url pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7
purl pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7
2
url pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.9
purl pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.9
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-cawb-zpmc-b3dp
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.9
aliases CVE-2023-26480, GHSA-32fq-m2q5-h83g
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-16tw-rke6-7bdp
1
url VCID-cawb-zpmc-b3dp
vulnerability_id VCID-cawb-zpmc-b3dp
summary 
org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.

For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.

```javascript
{{liveData id="movies" properties="title,description"}}
{
"data": {
"count": 1,
"entries": [
{
"title": "Meet John Doe",
"url": "https://www.imdb.com/title/tt0033891/",
"description": "<img onerror='alert(1)' src='foo' />"
}
]
},
"meta": {
"propertyDescriptors": [
{
"id": "title",
"name": "Title",
"visible": true,
"displayer": {"id": "link", "propertyHref": "url"}
},
{
"id": "description",
"name": "Description",
"visible": true,
"displayer": "html"
}
]
}
}
{{/liveData}}
```
references
0
reference_url https://github.com/xwiki/xwiki-platform
reference_id
reference_type
scores
url https://github.com/xwiki/xwiki-platform
1
reference_url https://jira.xwiki.org/browse/XWIKI-20312
reference_id
reference_type
scores
url https://jira.xwiki.org/browse/XWIKI-20312
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-29508
reference_id CVE-2023-29508
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-29508
3
reference_url https://github.com/advisories/GHSA-hmm7-6ph9-8jf2
reference_id GHSA-hmm7-6ph9-8jf2
reference_type
scores
url https://github.com/advisories/GHSA-hmm7-6ph9-8jf2
4
reference_url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
reference_id GHSA-hmm7-6ph9-8jf2
reference_type
scores
url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
fixed_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@13.10.11
purl pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@13.10.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@13.10.11
1
url pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7
purl pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7
2
url pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.10
purl pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.10
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.10
aliases CVE-2023-29508, GHSA-hmm7-6ph9-8jf2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cawb-zpmc-b3dp
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7