Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
Vulnerability Description
XWiki Commons are technical libraries common to several other top level XWiki projects. The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `<script>` and `<style>`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `<iframe>`. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode. There are no known workarounds apart from upgrading to a version including the fix.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
XWiki Commons 跨站脚本漏洞
Vulnerability Description
XWiki Commons是法国XWiki基金会的其他几个顶级 XWiki 项目共有的技术库。 XWiki Commons 4.2-milestone-1版本存在跨站脚本漏洞,该漏洞源于 不转义可用于注入脚本的属性,也不转义其他危险的HTML标签。攻击者利用该漏洞执行恶意代码。
CVSS Information
N/A
Vulnerability Type
N/A