Maven package
org.xwiki.platform/xwiki-platform-oldcore
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
Vulnerabilities (45)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-36468 | — | >= 2.0, < 14.10.7 | 14.10.7 | Jun 29, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possibl | ||
| CVE-2023-35157 | — | >= 3.2-milestone-3, < 14.10.6 | 14.10.6 | Jun 23, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows th | ||
| CVE-2023-32068 | — | < 14.10.4 | 14.10.4 | May 15, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 14.10.4 it's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in t | ||
| CVE-2023-29523 | — | >= 3.3-milestone-1, < 13.10.11 | 13.10.11 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted rea | ||
| CVE-2023-29526 | — | >= 10.11.1, < 13.10.11 | 13.10.11 | Apr 18, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either mac | ||
| CVE-2023-29507 | — | >= 14.5, < 14.10 | 14.10 | Apr 16, 2023 | XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is use | ||
| CVE-2023-29208 | — | >= 1.2-milestone-1, < 13.10.11 | 13.10.11 | Apr 15, 2023 | XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view r | ||
| CVE-2023-29204 | — | >= 6.0-rc-1, < 13.10.10 | 13.10.10 | Apr 15, 2023 | XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`). It was also possible to by | ||
| CVE-2023-26470 | — | < 14.0-rc-1 | 14.0-rc-1 | Mar 2, 2023 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and mak | ||
| CVE-2023-26474 | — | >= 13.10, < 13.10.11 | 13.10.11 | Mar 2, 2023 | XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds. | ||
| CVE-2022-41932 | — | < 13.10.8 | 13.10.8 | Nov 23, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database per | ||
| CVE-2022-41929 | — | >= 11.7RC1, < 13.10.7 | 13.10.7 | Nov 23, 2022 | org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem | ||
| CVE-2022-36092 | — | < 13.10.4 | 13.10.4 | Sep 8, 2022 | XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified template | ||
| CVE-2022-36090 | — | >= 1.1, < 13.10.5 | 13.10.5 | Sep 8, 2022 | XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user | ||
| CVE-2022-31166 | — | >= 11.3.7, < 13.10.4 | 13.10.4 | Sep 7, 2022 | XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the | ||
| CVE-2022-29253 | — | >= 8.3-rc-1, < 13.10.3 | 13.10.3 | May 25, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. T | ||
| CVE-2022-23621 | — | >= 13.6-rc-1, < 13.7-rc-1 | 13.7-rc-1 | Feb 9, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsS | ||
| CVE-2022-23618 | — | < 12.10.7 | 12.10.7 | Feb 9, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is no protection against URL redirection to untrusted sites, in particular some well known parameters (xredirect) can be used to perform url redirec | ||
| CVE-2022-23617 | — | < 12.10.6 | 12.10.6 | Feb 9, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in X | ||
| CVE-2022-23615 | — | >= 1.0, < 13.0 | 13.0 | Feb 9, 2022 | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current use |
- CVE-2023-36468Jun 29, 2023affected >= 2.0, < 14.10.7fixed 14.10.7
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an XWiki installation is upgraded and that upgrade contains a fix for a bug in a document, just a new version of that document is added. In some cases, it's still possibl
- CVE-2023-35157Jun 23, 2023affected >= 3.2-milestone-3, < 14.10.6fixed 14.10.6
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows th
- CVE-2023-32068May 15, 2023affected < 14.10.4fixed 14.10.4
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions prior to 14.10.4 it's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in t
- CVE-2023-29523Apr 18, 2023affected >= 3.3-milestone-1, < 13.10.11fixed 13.10.11
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted rea
- CVE-2023-29526Apr 18, 2023affected >= 10.11.1, < 13.10.11fixed 13.10.11
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to display or interact with any page a user cannot access through the combination of the async and display macros. A comment with either mac
- CVE-2023-29507Apr 16, 2023affected >= 14.5, < 14.10fixed 14.10
XWiki Commons are technical libraries common to several other top level XWiki projects. The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is use
- CVE-2023-29208Apr 15, 2023affected >= 1.2-milestone-1, < 13.10.11fixed 13.10.11
XWiki Commons are technical libraries common to several other top level XWiki projects. Rights added to a document are not taken into account for viewing it once it's deleted. Note that this vulnerability only impact deleted documents that where containing view rights: the view r
- CVE-2023-29204Apr 15, 2023affected >= 6.0-rc-1, < 13.10.10fixed 13.10.10
XWiki Commons are technical libraries common to several other top level XWiki projects. It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`). It was also possible to by
- CVE-2023-26470Mar 2, 2023affected < 14.0-rc-1fixed 14.0-rc-1
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). Most of the time this will fill the memory allocated to XWiki and mak
- CVE-2023-26474Mar 2, 2023affected >= 13.10, < 13.10.11fixed 13.10.11
XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.
- CVE-2022-41932Nov 23, 2022affected < 13.10.8fixed 13.10.8
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. This may lead to degraded database per
- CVE-2022-41929Nov 23, 2022affected >= 11.7RC1, < 13.10.7fixed 13.10.7
org.xwiki.platform:xwiki-platform-oldcore is missing authorization in User#setDisabledStatus, which may allow an incorrectly authorized user with only Script rights to enable or disable a user. This operation is meant to only be available for users with admin rights. This problem
- CVE-2022-36092Sep 8, 2022affected < 13.10.4fixed 13.10.4
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 14.2 and 13.10.4, all rights checks that would normally prevent a user from viewing a document on a wiki can be bypassed using the login action and directly specified template
- CVE-2022-36090Sep 8, 2022affected >= 1.1, < 13.10.5fixed 13.10.5
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Prior to versions 13.1.0.5 and 14.3-rc-1, some resources are missing a check for inactive (not yet activated or disabled) users in XWiki, including the REST service. This means a disabled user
- CVE-2022-31166Sep 7, 2022affected >= 11.3.7, < 13.10.4fixed 13.10.4
XWiki Platform Old Core is a core package for XWiki Platform, a generic wiki platform. Starting in versions 11.3.7, 11.0.3, and 12.0RC1, it is possible to exploit a bug in XWikiRights resolution of groups to obtain privilege escalation. More specifically, editing a right with the
- CVE-2022-29253May 25, 2022affected >= 8.3-rc-1, < 13.10.3fixed 13.10.3
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting with version 8.3-rc-1 and prior to versions 12.10.3 and 14.0, one can ask for any file located in the classloader using the template API and a path with ".." in it. T
- CVE-2022-23621Feb 9, 2022affected >= 13.6-rc-1, < 13.7-rc-1fixed 13.7-rc-1
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can read any file located in the XWiki WAR (for example xwiki.cfg and xwiki.properties) through XWiki#invokeServletAndReturnAsS
- CVE-2022-23618Feb 9, 2022affected < 12.10.7fixed 12.10.7
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is no protection against URL redirection to untrusted sites, in particular some well known parameters (xredirect) can be used to perform url redirec
- CVE-2022-23617Feb 9, 2022affected < 12.10.6fixed 12.10.6
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in X
- CVE-2022-23615Feb 9, 2022affected >= 1.0, < 13.0fixed 13.0
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with SCRIPT right can save a document with the right of the current user which allow accessing API requiring programming right if the current use
Page 2 of 3