Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
Vulnerability Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
Vulnerability Type
静态存储代码中指令转义处理不恰当(静态代码注入)
Vulnerability Title
XWiki Platform 安全漏洞
Vulnerability Description
XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞,该漏洞源于上传附件时的文件名处理不当,允许用户上传具有恶意文件名的附件,可能导致恶意的JavaScript代码被执行。以下版本受到影响:4.2-milestone-3版本至14.10.21之前版本、15.0-rc-1版本至15.5.5之前版本、15.6-rc-1版本至15.10.6之前版本和16.0.0-rc-1版本至16.0.0之前版本。
CVSS Information
N/A
Vulnerability Type
N/A