### Impact
When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file.

### Patches
This problem has been patched so that the default configuration doesn't allow to display the SVG files in the browser.

### Workarounds
This issue can be fixed without the patch by setting properly the configuration to download or display files, see: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HAttachmentdisplayordownload

### References
https://jira.xwiki.org/browse/XWIKI-18368

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](http://jira.xwiki.org)
* Email us at [security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 0 (fixed in 12.10.6)

Maven org.xwiki.platform:xwiki-platform-oldcore

Affected versions: 13.0 (fixed in 13.3RC1)

Maven org.xwiki.platform:xwiki-platform-tool-configuration-resources

Affected versions: 13.0 (fixed in 13.3RC1)

Maven org.xwiki.platform:xwiki-platform-tool-configuration-resources

Affected versions: 0 (fixed in 12.10.6)

Related CVEs

CVE-2021-43841

Key Information

GHSA ID

GHSA-9jq9-c2cv-pcrj

Published

February 10, 2022 10:42 PM

Last Modified

February 11, 2022 9:08 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.xwiki.platform:xwiki-platform-oldcore

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 29, 2025 6:37 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.