Rating Script Service expose XWiki to SQL injection

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

SQL命令中使用的特殊元素转义处理不恰当(SQL注入)

Thomas Mortagne xwiki-platform SQL注入漏洞

Thomas Mortagne xwiki-platform是Thomas Mortagne开源的一个应用程序。一个通用的Wiki平台，为基于其构建的应用程序提供运行时服务。 XWiki Platform 存在SQL注入漏洞，该漏洞源于评级脚本服务公开一个API来执行SQL请求，而不需要转义搜索参数。

N/A

N/A