Maven package
org.xwiki.platform/xwiki-platform-attachment-ui
pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-29516 | — | >= 2.0-rc-2, < 13.10.11 | 13.10.11 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The ro | ||
| CVE-2023-29519 | — | >= 3.0-rc-1, < 13.10.11 | 13.10.11 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget | ||
| CVE-2022-41928 | — | >= 5.0-milestone-1, < 13.10.7 | 13.10.7 | Nov 23, 2022 | XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in v | ||
| CVE-2022-36097 | — | >= 14.0-rc-1, < 14.4-rc-1 | 14.4-rc-1 | Sep 8, 2022 | XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone try |
- CVE-2023-29516Apr 18, 2023affected >= 2.0-rc-2, < 13.10.11fixed 13.10.11
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The ro
- CVE-2023-29519Apr 18, 2023affected >= 3.0-rc-1, < 13.10.11fixed 13.10.11
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget
- CVE-2022-41928Nov 23, 2022affected >= 5.0-milestone-1, < 13.10.7fixed 13.10.7
XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in v
- CVE-2022-36097Sep 8, 2022affected >= 14.0-rc-1, < 14.4-rc-1fixed 14.4-rc-1
XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone try