漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Remote code execution from login screen through unescaped URL parameter in OAuth Identity XWiki App
Vulnerability Description
com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
OAuth Identity XWiki App 跨站脚本漏洞
Vulnerability Description
OAuth Identity XWiki App是XWiki SAS开源的一个基于 OAuth 授权构建身份和服务提供商的基本要素库。 OAuth Identity XWiki App存在跨站脚本漏洞,该漏洞源于GET请求中发送的identityOAuth参数容易受到跨站脚本(XSS)和XWiki语法注入的攻击。
CVSS Information
N/A
Vulnerability Type
N/A