CVE-2021-29459

Published: Apr 20, 2021Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible to persistently inject scripts in XWiki versions prior to 12.6.3 and 12.8. Unregistred users can fill simple text fields. Registered users can fill in their personal information and (if they have edit rights) fill the values of static lists using App Within Minutes. There is no easy workaround except upgrading XWiki. The vulnerability has been patched on XWiki 12.8 and 12.6.3.

Affected (2)

Products: Xwiki: Xwiki

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Xwiki Xwiki	Before 12.6.3
Xwiki Xwiki	From 12.6.4 to 12.8

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5c66-v29h-xjh8

Source: security-advisories@github.com

ExploitThird Party Advisory

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-5c66-v29h-xjh8

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.