Description

XWiki Commons are technical libraries common to several other top level XWiki projects. A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

Remediation

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2

https://jira.xwiki.org/browse/XWIKI-20312

Related Vulnerabilities

CVE-2024-36401 Vulnerability in maven package org.geoserver:gs-wfs

CVE-2017-9805 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2015-5348 Vulnerability in maven package org.apache.camel:camel-http

CVE-2009-0781 Vulnerability in maven package tomcat:catalina

CVE-2020-2111 Vulnerability in maven package org.jenkins-ci.plugins:subversion

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Vendor Advisory Issue Tracking