GHSA-jjm5-5v9v-7hx2

Source

https://github.com/advisories/GHSA-jjm5-5v9v-7hx2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-jjm5-5v9v-7hx2/GHSA-jjm5-5v9v-7hx2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-jjm5-5v9v-7hx2

Aliases

CVE-2023-29506

Published

2023-04-12T20:36:19Z

Modified

2023-11-08T04:12:19.286671Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints

Details

Impact

It was possible to inject some code using the URL of authenticate endpoints, e.g.:

https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword

This vulnerability was present in recent versions of XWiki: - 13.10.8+ - 14.4.3+ - 14.6+

Patches

This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.

Workarounds

There is no easy workaround except to upgrade.

References

https://jira.xwiki.org/browse/XWIKI-20335
https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira * Email us at security mailing-list

Database specific

{
    "nvd_published_at": "2023-04-16T07:15:00Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2023-04-12T20:36:19Z",
    "github_reviewed": true
}

References

Affected packages

Maven

org.xwiki.platform:xwiki-platform-security-authentication-default

Package

Name: org.xwiki.platform:xwiki-platform-security-authentication-default; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.10.8

Fixed

13.10.11

org.xwiki.platform:xwiki-platform-security-authentication-default

Package

Name: org.xwiki.platform:xwiki-platform-security-authentication-default; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.4.3

Fixed

14.4.7

org.xwiki.platform:xwiki-platform-security-authentication-default

Package

Name: org.xwiki.platform:xwiki-platform-security-authentication-default; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-security-authentication-default

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.6

Fixed

14.10