CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
10.3%
org.xwiki.commons:xwiki-commons-velocity is vulnerable Remote Code Execution (RCE). The vulnerability is due to improper HTML escape functionality, where the escaping tool used in XWiki fails to properly escape the {
character. This allows an attacker to inject malicious XWiki syntax, potentially resulting in Remote Code Execution (RCE).
github.com/advisories/GHSA-hf43-47q4-fhq5
github.com/xwiki/xwiki-commons/commit/b0805160ec7b01ee12417e79cb384e60ae4817aa
github.com/xwiki/xwiki-commons/commit/b94142e2a66ec32e89eacab67c3da8d91f5ef93a
github.com/xwiki/xwiki-commons/commit/ed7ff515a2436a1c6dcbd0c6ca0c41e434d58915
github.com/xwiki/xwiki-commons/security/advisories/GHSA-hf43-47q4-fhq5
jira.xwiki.org/browse/XCOMMONS-2828
jira.xwiki.org/browse/XWIKI-21438