VYPR

Maven package

org.xwiki.platform/xwiki-platform-attachment-ui

pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Vulnerabilities (4)

  • CVE-2023-29516Apr 18, 2023
    affected >= 2.0-rc-2, < 13.10.11fixed 13.10.11

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights on `XWiki.AttachmentSelector` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The ro

  • CVE-2023-29519Apr 18, 2023
    affected >= 3.0-rc-1, < 13.10.11fixed 13.10.11

    XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget

  • CVE-2022-41928Nov 23, 2022
    affected >= 5.0-milestone-1, < 13.10.7fixed 13.10.7

    XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. This has been patched in v

  • CVE-2022-36097Sep 8, 2022
    affected >= 14.0-rc-1, < 14.4-rc-1fixed 14.4-rc-1

    XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone try