Description
The Nuxeo Platform is an open source content management platform for building business applications. In version 11.5.109, the `oauth2` REST API is vulnerable to Reflected Cross-Site Scripting (XSS). This XSS can be escalated to Remote Code Execution (RCE) by levering the automation API.
Remediation
References
https://github.com/nuxeo/nuxeo/blob/master/modules/platform/nuxeo-platform-oauth/src/main/java/org/nuxeo/ecm/webengine/oauth2/OAuth2Callback.java
https://securitylab.github.com/advisories/GHSL-2021-072-nuxeo
Related Vulnerabilities
CVE-2022-36094 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates
CVE-2017-1000486 Vulnerability in maven package org.primefaces:primefaces
CVE-2022-28135 Vulnerability in maven package org.jvnet.hudson.plugins:instant-messaging
CVE-2022-21169 Vulnerability in npm package express-xss-sanitizer
CVE-2023-34464 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web