Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.0-rc-1
Typemaven
Namespaceorg.xwiki.platform
Namexwiki-platform-attachment-ui
Version14.0-rc-1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version14.4.8
Latest_non_vulnerable_version14.10.2
Affected_by_vulnerabilities
0
url VCID-7kre-64fc-2ufr
vulnerability_id VCID-7kre-64fc-2ufr
summary 
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping in the "Cancel and return to page" button. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. There are no known workarounds for this vulnerability.
references
0
reference_url https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996
reference_id
reference_type
scores
url https://github.com/xwiki/xwiki-platform/commit/aca1d677c58563bbe6e35c9e1c29fd8b12ebb996
1
reference_url https://jira.xwiki.org/browse/XWIKI-20275
reference_id
reference_type
scores
url https://jira.xwiki.org/browse/XWIKI-20275
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-29516
reference_id CVE-2023-29516
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-29516
3
reference_url https://github.com/advisories/GHSA-3989-4c6x-725f
reference_id GHSA-3989-4c6x-725f
reference_type
scores
url https://github.com/advisories/GHSA-3989-4c6x-725f
4
reference_url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3989-4c6x-725f
reference_id GHSA-3989-4c6x-725f
reference_type
scores
url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3989-4c6x-725f
fixed_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.4.8
purl pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.4.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.4.8
1
url pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.10.1
purl pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.10.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.10.1
aliases CVE-2023-29516, GHSA-3989-4c6x-725f
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7kre-64fc-2ufr
1
url VCID-vdcg-c985-1yb4
vulnerability_id VCID-vdcg-c985-1yb4
summary 
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
references
0
reference_url https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1
reference_id
reference_type
scores
url https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1
1
reference_url https://jira.xwiki.org/browse/XWIKI-20364
reference_id
reference_type
scores
url https://jira.xwiki.org/browse/XWIKI-20364
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-29519
reference_id CVE-2023-29519
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-29519
3
reference_url https://github.com/advisories/GHSA-3hjg-cghv-22ww
reference_id GHSA-3hjg-cghv-22ww
reference_type
scores
url https://github.com/advisories/GHSA-3hjg-cghv-22ww
4
reference_url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3hjg-cghv-22ww
reference_id GHSA-3hjg-cghv-22ww
reference_type
scores
url https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3hjg-cghv-22ww
fixed_packages
0
url pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.4.8
purl pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.4.8
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.4.8
1
url pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.10.2
purl pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.10.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.10.2
aliases CVE-2023-29519, GHSA-3hjg-cghv-22ww
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vdcg-c985-1yb4
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.0-rc-1