Lookup for vulnerable packages by Package URL.
| Purl | pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.10.2 |
|---|
| Type | maven |
|---|
| Namespace | org.xwiki.platform |
|---|
| Name | xwiki-platform-attachment-ui |
|---|
| Version | 14.10.2 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | false |
|---|
| Next_non_vulnerable_version | null |
|---|
| Latest_non_vulnerable_version | null |
|---|
| Affected_by_vulnerabilities |
|
|---|
| Fixing_vulnerabilities |
| 0 |
| url |
VCID-vdcg-c985-1yb4 |
| vulnerability_id |
VCID-vdcg-c985-1yb4 |
| summary |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. Users are advised to upgrade. There are no known workarounds for this vulnerability. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-29519, GHSA-3hjg-cghv-22ww
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vdcg-c985-1yb4 |
|
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui@14.10.2 |
|---|