Veracode Vulnerability DatabaseVERACODE:41106HTML Injection
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS
Percentile
61.7%
xwiki-commons-xml is vulnerable to HTML Injection. The vulnerability exists because the HTMLDefinitions function in HTMLDefinitions.java does not properly disallow form-related tags in the HTML sanitizer, which allows an attacker to inject and execute malicious code such as {{html}}{{/html}} through the context of the XWiki.
References
github.com/advisories/GHSA-6pqf-c99p-758v
github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3
github.com/xwiki/xwiki-commons/commit/f0bf12863e57d421b156a3115e4bb1cf8eef8cd2
github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v
jira.xwiki.org/browse/XCOMMONS-2634
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS
Percentile
61.7%