GHSA-mxf2-4r22-5hq9

Suggest an improvement
Source
https://github.com/advisories/GHSA-mxf2-4r22-5hq9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-mxf2-4r22-5hq9/GHSA-mxf2-4r22-5hq9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-mxf2-4r22-5hq9
Aliases
Published
2022-09-16T17:05:12Z
Modified
2023-11-01T04:59:31.459965Z
Severity
  • 8.9 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L CVSS Calculator
Summary
XWiki Platform Web Parent POM vulnerable to XSS in the attachment history
Details

Impact

It's possible to store a JavaScript which will be executed by anyone viewing the history of an attachment containing javascript in its name.

For example, attachment a file with name ><img src=1 onerror=alert(1)>.jpg will execute the alert.

Patches

This issue has been patched in XWiki 13.10.6 and 14.3RC1.

Workarounds

It is possible to replace viewattachrev.vm, the entry point for this attack, by a patched version from the patch without updating XWiki.

References

  • https://jira.xwiki.org/browse/XWIKI-19612

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Database specific
{
    "nvd_published_at": "2022-09-08T20:15:00Z",
    "github_reviewed_at": "2022-09-16T17:05:12Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ]
}
References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-web

Package

Name
org.xwiki.platform:xwiki-platform-web
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0
Fixed
13.10.6

Maven / org.xwiki.platform:xwiki-platform-web

Package

Name
org.xwiki.platform:xwiki-platform-web
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-web

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0
Fixed
14.3-rc-1