Renniepak

Name of the Vulnerable Software and Affected Versions: XWiki versions 4.2-milestone-1 through 13.10.10 XWiki versions 14.4.0 through 14.4.6 XWiki versions 14.10.0 through 14.9.9 Description: XWiki Rendering is a system that converts textual input into different syntaxes. A flaw exists where the default macro content parser does not properly enforce restrictions when executing nested macros. This allows the execution of macros normally prohibited in restricted mode, specifically script macros. The cache and chart macros included with XWiki are affected by this issue. Recommendations: XWiki versions 4.2-milestone-1 through 13.10.10: Upgrade to version 13.10.11 or later. XWiki versions 14.4.0 through 14.4.6: Upgrade to version 14.4.7 or later. XWiki versions 14.10.0 through 14.9.9: Upgrade to version 14.10 or later. As a temporary measure, disable comments for untrusted users.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 2.5-milestone-2 through 14.10.4 XWiki Platform versions 15.0 through 15.1-rc-1 (excluding 15.1-rc-1) **Description** The issue allows users to forge a URL with a payload that injects Javascript into the page, enabling cross-site scripting (XSS) attacks. This can be exploited by using a URL such as "xwiki/bin/view/XWiki/Main?xpage=resubmit&resubmit=javascript:alert(document.domain)&xback=javascript:alert(document.domain)" to perform a XSS attack. The vulnerability exists due to inadequate protection of the web page structure. **Recommendations** For XWiki Platform versions 2.5-milestone-2 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.0 through 15.1-rc-1 (excluding 15.1-rc-1), update to version 15.1-rc-1 or later. As a temporary workaround, consider editing the template resubmit.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 9.4-rc-1 through 14.10.4 XWiki Platform versions 15.0 through 15.1-rc-0 **Description** The issue allows users to forge a URL with a payload that injects Javascript into the page, enabling cross-site scripting (XSS). This can be exploited by using a URL such as "/xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:alert(document.domain)" to perform a XSS attack. The vulnerability exists due to the lack of measures to neutralize alternative XSS syntax. **Recommendations** For XWiki Platform versions 9.4-rc-1 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.0 through 15.1-rc-0, update to version 15.1-rc-1 or later. As a temporary workaround, consider editing the template restore.vm to perform checks on it, but note that the appropriate fix involves new APIs that have been recently introduced in XWiki.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 5.4.4 through 14.4.7 XWiki Platform versions 14.4.8 is not affected, but versions prior to 14.4.8 are affected, the same applies to versions 14.10.4 and 15.0 **Description** A stored cross-site scripting issue can be exploited by users with edit rights by adding a `AppWithinMinutes.FormFieldCategoryClass` class on a page and setting the payload on the page title. Then, any user visiting "/xwiki/bin/view/AppWithinMinutes/ClassEditSheet" executes the payload. **Recommendations** For XWiki Platform versions 5.4.4 through 14.4.7, update to version 14.4.8 or later to resolve the issue. For XWiki Platform versions prior to 14.10.4, update to version 14.10.4 or later to resolve the issue. For XWiki Platform versions prior to 15.0, update to version 15.0 or later to resolve the issue. As a temporary workaround, consider updating `AppWithinMinutes.ClassEditSheet` with the provided patch.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 6.1-rc-1 through 14.10.4 XWiki Platform versions 15.1-rc-1 and earlier **Description** The issue allows users to forge a URL with a payload that injects Javascript into the page, enabling a cross-site scripting (XSS) attack. This can be achieved by exploiting the previewactions template. For example, using a URL such as `<hostname>/xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert(document.domain)`. The vulnerability has been present since XWiki 6.1-rc-1. **Recommendations** For XWiki Platform versions 6.1-rc-1 through 14.10.4, update to version 14.10.5 or later. For XWiki Platform versions 15.1-rc-1 and earlier, update to version 15.1 or later. As a temporary workaround, consider editing the `previewactions.vm` template to perform checks on it, but note that the appropriate fix involves new APIs recently introduced in XWiki.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.4 XWiki Platform versions prior to 15.0-rc-1 **Description** The issue is related to the XWiki Platform's failure to protect its web page structure, allowing a remote attacker to conduct a cross-site scripting (XSS) attack. This can be achieved by forging a URL with a payload that injects JavaScript into the page. For example, the following URL can execute an action on the browser: <xwiki-host>/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you. **Recommendations** For versions prior to 14.4.8, update to version 14.4.8 or later. For versions prior to 14.10.4, update to version 14.10.4 or later. For versions prior to 15.0-rc-1, update to version 15.0-rc-1 or later. As a temporary workaround, consider applying the patch available at https://github.com/xwiki/xwiki-platform/commit/ca88ebdefb2c9fa41490959cce9f9e62404799e7, which fixes the issue by impacting Velocity templates and page contents.

**Name of the Vulnerable Software and Affected Versions** Collabora Online versions prior to 22.05.13 Collabora Online versions prior to 21.11.9.1 Collabora Online versions prior to 6.4.27 **Description** A stored cross-site scripting (XSS) issue was found in Collabora Online. An attacker could create a document with an XSS payload as a document name. If an administrator opened the admin console and navigated to the history page, the document name was injected as unescaped HTML and executed as a script inside the context of the admin console. This could lead to the leak of the administrator JSON web token (JWT) used for the websocket connection. **Recommendations** For Collabora Online versions prior to 22.05.13, upgrade to Collabora Online 22.05.13 or higher to receive a patch. For Collabora Online versions prior to 21.11.9.1, upgrade to Collabora Online 21.11.9.1 or higher to receive a patch. For Collabora Online versions prior to 6.4.27, upgrade to Collabora Online 6.4.27 or higher to receive a patch.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 2.2-milestone-1 through 14.4.7 XWiki Platform versions 14.4.8 through 14.10.3 XWiki Platform versions 14.10.4 through 15.0-rc-1 (excluding 14.10.4 and 15.0-rc-1) **Description** The issue allows execution of javascript with the right of any user by leading them to a special URL on the wiki targeting a page which contains an attachment. This can be exploited by adding an attachment to a page and then adding a specific query string to the page view URL, such as `?xpage=importinline&editor=%22%3E%3Cimg%20src%20onerror=alert(document.domain)%3E` to execute arbitrary javascript code. **Recommendations** For XWiki Platform versions 2.2-milestone-1 through 14.4.7, update to version 14.4.8 or later. For XWiki Platform versions 14.4.8 through 14.10.3, update to version 14.10.4 or later. For XWiki Platform versions prior to 15.0-rc-1 (excluding 14.10.4 and 15.0-rc-1), update to version 15.0-rc-1 or later. As a temporary workaround, edit the file `<xwiki app>/templates/importinline.vm` and apply the modification described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 13.10.11 XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.2 XWiki Platform versions prior to 15.0-rc-1 **Description** The issue exists due to the lack of measures to neutralize special elements, allowing a remote attacker to execute arbitrary code. A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the `property` field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. **Recommendations** For versions prior to 13.10.11, upgrade to version 13.10.11 or later. For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 14.10.2, upgrade to version 14.10.2 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider applying the changes directly in XWiki.AttachmentSelector page, as described in the commit https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1.

**Name of the Vulnerable Software and Affected Versions** Grafana versions prior to 8.5.22 Grafana versions prior to 9.2.15 Grafana versions prior to 9.3.11 **Description** Grafana is an open-source platform for monitoring and observability. A stored XSS vulnerability was found in the Graphite FunctionDescription tooltip. The vulnerability is possible due to the value of the Function Description not being properly sanitized. An attacker needs to have control over the Graphite data source to manipulate a function description, and a Grafana admin needs to configure the data source. Later, a Grafana user needs to select a tampered function and hover over the description. This can allow an attacker to execute arbitrary JavaScript in the browser of the victim, potentially leading to adding the attacker as an admin. **Recommendations** To resolve the issue, upgrade to version 8.5.22, 9.2.15, or 9.3.11 to receive a fix. As a temporary workaround, consider disabling the `FunctionDescription` feature until a patch is available. Restrict access to the Graphite data source to minimize the risk of exploitation. Avoid using the `FunctionDescription` tooltip in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 2.3-milestone-1 through 13.10.10 XWiki Platform versions 14.4.6 and earlier XWiki Platform versions prior to 14.10 **Description** The annotation displayer in XWiki Platform does not execute content in a restricted context, allowing execution of arbitrary code with the rights of the author of any document by annotating the document. This issue has been patched in XWiki 13.10.11, 14.4.7, and 14.10. To reproduce the issue, an annotation can be added with content like `{{groovy}}print "hello"{{/groovy}}`, and upon clicking to display the annotation inline, it should result in an error but instead prints "hello". **Recommendations** For XWiki Platform versions 2.3-milestone-1 through 13.10.10, upgrade to version 13.10.11 or later. For XWiki Platform versions 14.4.6 and earlier, upgrade to version 14.4.7 or later. For XWiki Platform versions prior to 14.10, upgrade to version 14.10 or later. As a temporary workaround, consider restricting the use of the annotation feature until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** The Favicon by RealFaviconGenerator WordPress plugin versions 1.3.20 and earlier **Description** The issue is related to a Reflected Cross-Site Scripting (XSS) that occurs because one of the plugin's parameters is not properly sanitised or escaped before being outputted in the response. This XSS is executed in the context of a logged administrator. **Recommendations** For versions 1.3.20 and earlier, update to a version later than 1.3.20 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ShareThis Dashboard for Google Analytics WordPress plugin versions prior to 2.5.2 **Description** The issue is related to a reflected Cross-Site Scripting problem. It occurs because the `ga action` parameter in the stats view is not properly sanitized or escaped before being outputted back in an attribute when the plugin is connected to a Google Analytics account. This leads to the execution of the issue in the context of a logged-in administrator. **Recommendations** For versions prior to 2.5.2, update to version 2.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the stats view or disabling the plugin until a patch is applied. Avoid using the `ga action` parameter in the affected stats view until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** W3 Total Cache WordPress plugin versions prior to 2.1.4 **Description** The issue is related to a reflected Cross-Site Scripting (XSS) security vulnerability. This vulnerability is located within the `extension` parameter in the Extensions dashboard. The parameter's output is not properly escaped, which could allow an attacker to run malicious JavaScript within a user's web browser if they can convince an authenticated admin to click a link. This could potentially lead to full site compromise. **Recommendations** For versions prior to 2.1.4, update to version 2.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the Extensions dashboard to minimize the risk of exploitation. Avoid using the `extension` parameter in the affected dashboard until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** W3 Total Cache WordPress plugin versions prior to 2.1.5 **Description** The issue is a reflected Cross-Site Scripting (XSS) problem within the `extension` parameter in the Extensions dashboard. This occurs when the 'Anonymously track usage to improve product quality' setting is enabled, and the parameter is output in a JavaScript context without proper escaping. An attacker could exploit this by convincing an authenticated admin to click a link, allowing the attacker to run malicious JavaScript within the user's web browser, potentially leading to full site compromise. **Recommendations** For versions prior to 2.1.5, update to version 2.1.5 or later to resolve the issue. As a temporary workaround, consider disabling the 'Anonymously track usage to improve product quality' setting until a patch is applied. Restrict access to the Extensions dashboard to minimize the risk of exploitation. Avoid using the `extension` parameter in the affected dashboard until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin versions prior to 7.1.18 **Description** The issue is related to a reflected Cross-Site Scripting problem, where the `result id` parameter is not properly sanitised or escaped when displaying an existing quiz result page. This could lead to privilege escalation by inducing a logged-in admin to open a malicious link. **Recommendations** For versions prior to 7.1.18, update to version 7.1.18 or later to resolve the issue. As a temporary workaround, consider restricting access to the quiz result page or disabling the feature that displays existing quiz results until the update is applied. Avoid using the `result id` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** LinkedIn Oncall versions 1.4.0 and earlier **Description** The issue arises from the mishandling of the "No results found for" message in the search bar, allowing reflected XSS via the "/query" API endpoint. This occurs because of improper handling of user input, which can lead to the execution of malicious scripts. **Recommendations** For LinkedIn Oncall versions 1.4.0 and earlier, consider disabling the search bar functionality or restricting access to the "/query" API endpoint until a patch is available. As a temporary workaround, avoid using the search bar with untrusted input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.