Ilie Andriuta

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.14 XWiki Platform versions prior to 15.5.1 XWiki Platform versions prior to 15.6 RC1 **Description** The issue is related to incorrect management of code generation in the XWiki Platform, allowing any user with read access to the document `XWiki.AdminSheet` to execute code, including Groovy code. This impacts the confidentiality, integrity, and availability of the whole XWiki instance. The vulnerability can be exploited by manipulating the `section` URL parameter. For example, an attacker can use the API endpoint "/xwiki/bin/get/Main/WebHome?sheet=XWiki.AdminSheet&viewer=content&section=%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%7D%7D%7B%7Bgroovy%7D%7Dservices.logging.getLogger(%22attacker%22).error(%22Attack%20succeeded!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&xpage=view" to test if an XWiki installation is vulnerable. If the attack is successful, it can cause a log message "ERROR attacker - Attack succeeded!" to appear in XWiki's log. **Recommendations** To resolve the issue for versions prior to 14.10.14, upgrade to version 14.10.14 or later. To resolve the issue for versions prior to 15.5.1, upgrade to version 15.5.1 or later. To resolve the issue for versions prior to 15.6 RC1, upgrade to version 15.6 RC1 or later. As a temporary workaround, consider removing view rights for guests from the document `XWiki.AdminSheet` to protect against attacks from unauthenticated users. Alternatively, users unable to upgrade can apply the fix in commit `fec8e0e53f9` manually by replacing the vulnerable code in the document `XWiki.AdminSheet`.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 3.5-milestone-1 through 14.10.8 XWiki Platform versions 15.3-rc-1 and earlier **Description** The issue is related to the disclosure of information in the error data area of the XWiki Platform, specifically in the org.xwiki.platform:xwiki-platform-livetable-ui component. This could allow a remote attacker to gain unauthorized access to protected information. The mail obfuscation configuration was not fully taken into account, making it possible to still obtain obfuscated emails. **Recommendations** For XWiki Platform versions 3.5-milestone-1 through 14.10.8, update to version 14.10.9 or later. For XWiki Platform versions 15.3-rc-1 and earlier, update to version 15.3-rc-1 or later. As a temporary workaround, consider modifying the page `XWiki.LiveTableResultsMacros` following the provided patch.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 6.0-rc-1 through 14.10.5 XWiki Platform version 14.10.6 XWiki Platform version 15.1 **Description** The issue allows users to forge a URL with a payload to inject Javascript in the page, enabling a cross-site scripting (XSS) attack. This can be exploited by using a URL such as "xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain)" to perform a XSS attack. The vulnerability exists since XWiki 6.0-rc-1. **Recommendations** For XWiki Platform versions 6.0-rc-1 through 14.10.5, update to version 14.10.6 or 15.1 to resolve the issue. For XWiki Platform version 14.10.5, note that the partial patch provided is not enough to entirely fix the vulnerability, so updating to version 14.10.6 or 15.1 is recommended. As a temporary workaround, consider editing the template delete.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 11.8-rc-1 through 14.4.7 XWiki Platform versions 14.4.8 through 14.10.5 XWiki Platform versions 15.1-rc-1 through 15.1 **Description** The issue is related to insecure management of privileges in the `Mail.MailConfig` component of the XWiki Platform. This allows any logged-in user to edit the `Mail.MailConfig` by default, potentially changing the mail obfuscation configuration and viewing or editing the mail sending configuration, including the smtp domain name and credentials. **Recommendations** For XWiki Platform versions 11.8-rc-1 through 14.4.7, update to version 14.4.8 or later. For XWiki Platform versions 14.4.8 through 14.10.5, update to version 14.10.6 or later. For XWiki Platform versions 15.1-rc-1 through 15.1, update to version 15.2 or later. As a temporary workaround, consider manually updating the rights of the `Mail.MailConfig` page so that only a set of trusted users can view, edit, and delete it, such as the `XWiki.XWikiAdminGroup` group.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 13.10.11 XWiki versions prior to 14.4.7 XWiki versions prior to 14.10 **Description** A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. This can be achieved by adding malicious data to the `description` field, which is displayed as HTML. For instance, an attacker could add an image with an `onerror` attribute set to execute JavaScript code, such as `<img onerror='alert(1)' src='foo' />`. **Recommendations** For versions prior to 13.10.11, update to version 13.10.11 or later. For versions prior to 14.4.7, update to version 14.4.7 or later. For versions prior to 14.10, update to version 14.10 or later.

**Nome do software vulnerável e versões afetadas** Versões da plataforma XWiki anteriores à 11.10.13 Versões da plataforma XWiki anteriores à 12.6.7 Versões da plataforma XWiki anteriores à 12.10.2 **Descrição** Um usuário desativado em um wiki que utilize verificação por e-mail para registro pode se reativar usando o link de ativação fornecido no momento do registro. **Recomendações** Para versões anteriores à 11.10.13, atualize para a versão 11.10.13 ou posterior. Para versões anteriores à 12.6.7, atualize para a versão 12.6.7 ou posterior. Para versões anteriores à 12.10.2, atualize para a versão 12.10.2 ou posterior. Como solução alternativa temporária, considere redefinir a propriedade `validkey` dos usuários desativados do XWiki editando o perfil do usuário com um editor de objetos.