漏洞标题
xwiki-platform中的跨站脚本(XSS)
漏洞描述信息
XWiki Platform是一个通用的维基平台,为在其上构建的应用程序提供运行时服务。任何可以创建空间的用户都可以通过"几分钟应用"成为该空间的管理员。管理员权限意味着脚本权限,因此允许JavaScript注入。通过在"几分钟应用"中创建一个应用,可以利用此漏洞。如果由于用户没有全局编辑权限而应禁用该按钮,也可以直接在XWiki安装上打开`/xwiki/bin/view/AppWithinMinutes/CreateApplication?wizard=true`来创建应用。XWiki 13.10.11、14.4.8、14.10.1和15.0 RC1通过在用户在创建应用的空间上没有脚本权限时不再授予空间管理员权限来修复了此漏洞。在这种情况下,会显示错误消息警告用户应用将无法正常工作。由于此修复,通过此漏洞成为空间管理员的用户不会失去空间管理员权限,因此建议检查所有创建AWM应用的用户是否应保留其空间管理员权限。建议用户升级。目前没有已知的缓解措施来解决此漏洞。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
Cross-site scripting (XSS) in xwiki-platform
漏洞描述信息
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes. If the button should be disabled because the user doesn't have global edit right, the app can also be created by directly opening `/xwiki/bin/view/AppWithinMinutes/CreateApplication?wizard=true` on the XWiki installation. This has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1 by not granting the space admin right if the user doesn't have script right on the space where the app is created. Error message are displayed to warn the user that the app will be broken in this case. Users who became space admin through this vulnerability won't loose the space admin right due to the fix, so it is advised to check if all users who created AWM apps should keep their space admin rights. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
XWiki Platform 跨站脚本漏洞
漏洞描述信息
XWiki Platform是法国XWiki公司的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 存在跨站脚本漏洞,该漏洞源于任何可以创建空间的用户都可以通过应用在几分钟内成为该空间的管理员。
CVSS信息
N/A
漏洞类别
跨站脚本