漏洞标题
在XWiki平台上用于用户个人资料的显示方法中的代码注入
漏洞描述信息
在xwiki-platform中用户配置文件使用的显示方法中存在代码注入。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
N/A
漏洞标题
Code injection in display method used in user profiles in xwiki-platform
漏洞描述信息
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The same vulnerability can also be exploited in other contexts where the `display` method on a document is used to display a field with wiki syntax, for example in applications created using `App Within Minutes`. This has been patched in XWiki 13.10.11, 14.4.8, 14.10.2 and 15.0RC1. There is no workaround apart from upgrading.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
漏洞类别
输出中的特殊元素转义处理不恰当(注入)
漏洞标题
XWiki Platform 注入漏洞
漏洞描述信息
XWiki Platform是法国XWiki公司的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 存在注入漏洞,该漏洞源于任何可以编辑自己的用户配置文件的用户都可以执行任意脚本宏,包括允许远程代码执行的 Groovy 和 Python 宏,包括对所有 wiki 内容的不受限制的读写访问。
CVSS信息
N/A
漏洞类别
注入