XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

静态存储代码中指令转义处理不恰当(静态代码注入)

XWiki Platform 安全漏洞

XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞，该漏洞源于上传附件时的文件名处理不当，允许用户上传具有恶意文件名的附件，可能导致恶意的JavaScript代码被执行。以下版本受到影响：4.2-milestone-3版本至14.10.21之前版本、15.0-rc-1版本至15.5.5之前版本、15.6-rc-1版本至15.10.6之前版本和16.0.0-rc-1版本至16.0.0之前版本。

N/A

N/A