Michitux

Name of the Vulnerable Software and Affected Versions: XWiki Remote Macros versions 1.0 through 1.26.5 Description: XWiki Remote Macros provides XWiki rendering macros used for content migration from Confluence. A missing escaping mechanism in the `width` parameter within the column macro allows for remote code execution. This affects users who can edit pages or access the CKEditor converter. The unescaped `width` parameter enables XWiki syntax injection, potentially allowing execution of Velocity code as the wiki admin or a user with programming rights. Recommendations: Update to version 1.26.5 or later.

Name of the Vulnerable Software and Affected Versions: XWiki versions prior to 9.14 Description: The XWiki blog application allows users of the XWiki platform to create and manage blog posts. Prior to version 9.14, the blog application allowed remote code execution for any logged-in user with edit rights on any page. Exploitation involves adding an object of type `Blog.BlogPostClass` to any page and adding script code to the "Content" field of that object. The vulnerability was addressed in version 9.14 by executing the content of blog posts with the rights of the appropriate author. Recommendations: Upgrade to XWiki version 9.14 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki versions 16.10.10 and below, 17.0.0-rc-1 through 17.4.3, and 17.5.0-rc-1 through 17.6.0 **Description** The XWiki platform contains a REST API that does not limit the number of items requested in a single request. This can cause performance issues, including slowness and unavailability, particularly when requesting a large number of pages. The `/rest/wikis/xwiki/spaces` API endpoint is an example, as it returns all spaces (pages) on the wiki by default. **Recommendations** Update to XWiki version 17.4.4 or later. Update to XWiki version 16.10.11 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki versions prior to 16.4.7 XWiki versions prior to 16.10.3 XWiki versions prior to 17.0.0 **Description** The issue allows any XWiki user with edit rights on at least one App Within Minutes application to obtain programming rights and perform remote code execution by editing the application. **Recommendations** For versions prior to 16.4.7, update to version 16.4.7 or later. For versions prior to 16.10.3, update to version 16.10.3 or later. For versions prior to 17.0.0, update to version 17.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** XWiki versions before 15.10.16 XWiki versions 16.0.0-rc-1 through 16.4.6 XWiki versions 16.5.0-rc-1 through 16.10.1 **Description** The issue concerns XWiki, a generic wiki platform. In affected versions, an attacker without script or programming rights can create an XClass definition, which can lead to malicious code execution when a user with script, admin, or programming rights later edits the document. This is particularly relevant to custom display code, script of computed properties, and queries in database list properties. Warnings for editing documents with dangerous properties were introduced in XWiki 15.9. **Recommendations** For versions before 15.10.16, update to version 15.10.16 or later. For versions 16.0.0-rc-1 through 16.4.6, update to version 16.4.7 or later. For versions 16.5.0-rc-1 through 16.10.1, update to version 16.10.2 or later.

**Name of the Vulnerable Software and Affected Versions** Pro Macros versions prior to 1.10.1 **Description** The issue is related to missing escaping in the Viewpdf macro, which allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. Other macros, such as Viewppt, are vulnerable to the same kind of attack. **Recommendations** For versions prior to 1.10.1, update to version 1.10.1 to patch this security flaw. As a temporary workaround, consider disabling the Viewpdf macro and other vulnerable macros, such as Viewppt, until a patch is available. Restrict access to the `CKEditor.HTMLConverter` page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** XWiki Change Request versions prior to 1.10 **Description** The issue allows an attacker to obtain password hashes of users by editing user profiles and downloading the XML file created by the change request. This vulnerability impacts all versions of Change Request, but the impact depends on the rights set on the wiki, requiring the user to have the Change request right and view rights on the page to target. The issue cannot be easily exploited in an automated way. **Recommendations** For versions prior to 1.10, upgrade to Change Request 1.10 to apply the patch that denies users the right to edit pages containing password fields with change requests. As a temporary workaround, consider denying the Change request right on some spaces, such as the XWiki space, which includes any user profile by default.

**Name of the Vulnerable Software and Affected Versions** Change Request versions 0.11 through 1.9.2 **Description** The issue allows a user without specific rights to perform script injection and remote code execution by inserting an appropriate title when creating a new Change Request. This is particularly critical as Change Request is intended for use by users without particular rights. **Recommendations** For versions prior to 1.9.2, upgrade to Change Request 1.9.2 to resolve the issue. As a temporary workaround for versions prior to 1.9.2, edit the document `ChangeRequest.Code.ChangeRequestSheet` and perform the same change as in the fix commit.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 4.3M2 through 14.10.4 XWiki Platform versions prior to 15.1RC1 **Description** The issue is related to the execution of arbitrary scripts with programming rights by any registered user through the content field of their user profile page, effectively performing rights escalation. This is possible because the AppWithinMinutes Application added support for the Content field since version 4.3M2, allowing any wiki page to use its content as an AWM Content field with a custom displayer that executes the content with the rights of the `AppWithinMinutes.Content` author. **Recommendations** For XWiki Platform versions 4.3M2 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions prior to 15.1RC1, update to version 15.1RC1 or later. As a temporary workaround for older versions, modify the content of the `AppWithinMinutes.Content` page to use the `display` script service to render the content.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 4.1M2 through 14.10.4 XWiki Platform versions prior to 14.10.5 and 15.1RC1 **Description** The issue is related to a stored XSS vulnerability that can be exploited by any registered user through their user profile by setting the payload as the value of the `time zone` user preference. This can be done using JavaScript or by calling the save URL on the user profile with the right query string. Once the time zone is set, it is displayed without escaping, allowing the payload to be executed for any user that visits the malicious user profile. This enables the attacker to steal information and gain more access rights. **Recommendations** For XWiki Platform versions 4.1M2 through 14.10.4, edit the `displayer timezone.vm` file and escape the displayed time zone value by replacing `$!value` with `$!escapetool.xml($value)`. For XWiki Platform versions prior to 14.10.5 and 15.1RC1, update to version 14.10.5 or 15.1RC1 to fix the issue. As a temporary workaround, consider restricting access to the user profile feature until a patch is applied.

Name of the Vulnerable Software and Affected Versions: XWiki versions 5.4.5 through 14.9 Description: XWiki Rendering, a system for converting textual input into different syntaxes, contains a flaw. Prior to version 14.10, the XHTML syntax relied on the `xdom+xml/current` syntax, enabling the insertion of arbitrary HTML content, including JavaScript. This allows for cross-site scripting (XSS) attacks when users with document editing privileges, such as their user profile (enabled by default), modify content. Recommendations: Upgrade to XWiki version 14.10 or later.

**Name of the Vulnerable Software and Affected Versions** DokuWiki versions prior to 2014-05-05 **Description** The issue allows remote attackers to access arbitrary images through a media file details ajax call because it only checks for access to the root namespace. **Recommendations** For versions prior to 2014-05-05, update to a version that includes the fix for this issue to prevent unauthorized access to images.