Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
XWiki Platform has an SQL injection in getdocuments.vm with sort parameter
Vulnerability Description
XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 13.10.5 and 14.3-rc-1, in `getdocument.vm`; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This has been patched in 13.10.5 and 14.3-rc-1. There is no known workaround, other than upgrading XWiki.
CVSS Information
N/A
Vulnerability Type
对输出编码和转义不恰当
Vulnerability Title
XWiki Platform 安全漏洞
Vulnerability Description
XWiki Platform是XWiki开源的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform 11.10.6版本到14.3-rc-1版本存在安全漏洞,该漏洞源于在getdocument.vm中,返回文档的顺序是从未清理的请求参数request.sort定义的,并且可以允许任何用户注入SQL。
CVSS Information
N/A
Vulnerability Type
N/A