Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XWiki vulnerable to stored cross-site scripting via any wiki document and the displaycontent/rendercontent template
Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.2.1 until versions 14.4.8, 14.10.5, and 15.1RC1 of org.xwiki.platform:xwiki-platform-web and any version prior to 14.4.8, 14.10.5, and 15.1.RC1 of org.xwiki.platform:xwiki-platform-web-templates, any user who can edit a document in a wiki like the user profile can create a stored cross-site scripting attack. The attack occurs by putting plain HTML code into that document and then tricking another user to visit that document with the `displaycontent` or `rendercontent` template and plain output syntax. If a user with programming rights is tricked into visiting such a URL, arbitrary actions be performed with this user's rights, impacting the confidentiality, integrity, and availability of the whole XWiki installation. This has been patched in XWiki 14.4.8, 14.10.5 and 15.1RC1 by setting the content type of the response to plain text when the output syntax is not an HTML syntax.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
XWiki Platform 跨站脚本漏洞
Vulnerability Description
XWiki Platform是法国XWiki基金会的一套用于创建Web协作应用程序的Wiki平台。 xwiki-platform-web 2.2.1到14.4.8版本、xwiki-platform-web-templates 14.4.8之前版本、14.5到14.10.5版本、15.0-rc-1到15.1-rc-1版本存在跨站脚本漏洞,该漏洞源于任何可以在 wiki 中编辑文档的用户都可以创建存储的跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A