GHSA-f963-4cq8-2gw7
GitHub Security Advisory
In XWiki Platform, payloads stored in content is executed when a user with script/programming right edit them
Advisory Details
### Impact
A user without script/programming right can trick a user with elevated rights to edit a content with a malicious payload using a WYSIWYG editor.
The user with elevated rights is not warned beforehand that they are going to edit possibly dangerous content.
The payload is executed at edit time.
### Patches
This vulnerability has been patched in XWiki 15.10RC1.
### Workarounds
No workaround. It is advised to upgrade to XWiki 15.10+.
### References
* https://jira.xwiki.org/browse/XWIKI-20331
* https://jira.xwiki.org/browse/XWIKI-21311
* https://jira.xwiki.org/browse/XWIKI-21481
* https://jira.xwiki.org/browse/XWIKI-21482
* https://jira.xwiki.org/browse/XWIKI-21483
* https://jira.xwiki.org/browse/XWIKI-21484
* https://jira.xwiki.org/browse/XWIKI-21485
* https://jira.xwiki.org/browse/XWIKI-21486
* https://jira.xwiki.org/browse/XWIKI-21487
* https://jira.xwiki.org/browse/XWIKI-21488
* https://jira.xwiki.org/browse/XWIKI-21489
* https://jira.xwiki.org/browse/XWIKI-21490
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])
### Attribution
This vulnerability has been reported on Intigriti by @floerer
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.