Code injection

2023-03-0219:15:00

PRIOn knowledge base

www.prio-n.com

xwiki commons

code injection

vulnerability

patched

versions 13.10.9

14.4.4

14.7rc1

short text field

9.3 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.6%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. Starting in version 3.1-milestone-1, any user can edit their own profile and inject code, which is going to be executed with programming right. The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field. The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.

CPENameOperatorVersion
commonseq3.1 milestone1
commonseq3.1 milestone2
commonseq3.1.1
commonsge14.5
commonslt14.7
commonseq14.4 rc1
commonsge14.4
commonslt14.4.4
commonsge3.2
commonslt13.10.9

Name	Operator	Version
commons	eq	3.1 milestone1
commons	eq	3.1 milestone2
commons	eq	3.1.1
commons	ge	14.5
commons	lt	14.7
commons	eq	14.4 rc1
commons	ge	14.4
commons	lt	14.4.4
commons	ge	3.2
commons	lt	13.10.9