Manuel Leduc

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.6 XWiki Platform versions prior to 15.1 XWiki Platform versions older than 14.6RC1 with CKEditor Integration extension prior to 1.64.9 **Description** The issue allows any user with edit rights to edit all pages in the `CKEditor` space, enabling harmful actions such as removing technical documents and editing the javascript configuration of CKEditor, leading to persistent XSS. **Recommendations** For XWiki Platform versions prior to 14.10.6, upgrade to version 14.10.6 or later. For XWiki Platform versions prior to 15.1, upgrade to version 15.1 or later. For XWiki Platform versions older than 14.6RC1, update the CKEditor Integration extension to version 1.64.9 or later. As a temporary workaround, consider restricting the `edit` and `delete` rights to a trusted user or group, such as the `XWiki.XWikiAdminGroup` group, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 5.0-milestone-1 through 14.4.7 XWiki Platform versions 14.4.8 is not affected, but versions prior to 14.10.4 are affected XWiki Platform versions prior to 15.0-rc-1 **Description** The XWiki Platform leaks tags from pages not viewable to the current user through the tags API. This information can also be exploited to infer the document reference of non-viewable pages. **Recommendations** For XWiki Platform versions 5.0-milestone-1 through 14.4.7, update to version 14.4.8 or later. For XWiki Platform versions prior to 14.10.4, update to version 14.10.4 or later. For XWiki Platform versions prior to 15.0-rc-1, update to version 15.0-rc-1 or later. As a temporary workaround, consider restricting access to the tags API until a patch is available.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.1 XWiki Platform versions prior to 15.0 RC1 **Description** The XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes. If the button should be disabled because the user doesn't have global edit right, the app can also be created by directly opening "/xwiki/bin/view/AppWithinMinutes/CreateApplication?wizard=true" on the XWiki installation. **Recommendations** To resolve the issue for versions prior to 13.10.11, upgrade to version 13.10.11 or later. To resolve the issue for versions prior to 14.4.8, upgrade to version 14.4.8 or later. To resolve the issue for versions prior to 14.10.1, upgrade to version 14.10.1 or later. To resolve the issue for versions prior to 15.0 RC1, upgrade to version 15.0 RC1 or later. As a temporary workaround, consider denying view access to `AppWithinMinutes.LiveTableEditSheet` to prevent creation and editing of App Within Minutes apps.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 14.3-rc-1 through 14.4.5 XWiki Platform versions 14.9-rc-1 and earlier, excluding 14.4.6 and later **Description** The issue arises from the `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` function returning an instance of `com.xpn.xwiki.doc.XWikiAttachment`, which should not be exposed to users without the `programing` right. Instead, `com.xpn.xwiki.api.Attachment` should be used as it checks the user's rights before performing dangerous operations. **Recommendations** For XWiki Platform versions 14.3-rc-1 through 14.4.5, update to version 14.4.6 or later. For XWiki Platform versions 14.9-rc-1 and earlier, excluding 14.4.6 and later, update to version 14.9-rc-1 or later. As a temporary workaround, consider restricting access to the `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 14.0-rc-1 through 14.4-rc-1 **Description** The issue allows storing JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. For example, an attachment with name `><img src=1 onerror=alert(1)>.jpg` will execute the alert. This is possible due to the lack of proper sanitization of attachment names. **Recommendations** For versions 14.0-rc-1 through 14.4-rc-1, update to XWiki 14.4-rc-1 to resolve the issue. As a temporary workaround for versions 14.0-rc-1 through 14.4-rc-1, copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace the vulnerable code with the patched code, specifically replacing ``` #set($titleToDisplay = $services.localization.render('attachment.move.title', [$attachment.name, $escapetool.xml($doc.plainTitle), $doc.getURL()])) ``` with ``` #set($titleToDisplay = $services.localization.render('attachment.move.title', [ $escapetool.xml($attachment.name), $escapetool.xml($doc.plainTitle), $escapetool.xml($doc.getURL()) ])) ```