Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-h353-hc43-95vc

GitHub Security Advisory

Script injection without script or programming rights through Gadget titles

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact
A user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard.

### Patches
The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.

### Workarounds
There's no easy workaround for this issue, it is recommended to upgrade XWiki.

### References
https://jira.xwiki.org/browse/XWIKI-17794

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [JIRA](https://jira.xwiki.org)
* Email us at [XWiki security mailing-list](mailto:[email protected])

Affected Packages

Maven org.xwiki.commons:xwiki-commons-core
Affected versions: 0 (fixed in 12.6.7)
Maven org.xwiki.commons:xwiki-commons-core
Affected versions: 12.10.0 (fixed in 12.10.3)

Related CVEs

CVE-2021-32621

Key Information

GHSA ID
GHSA-h353-hc43-95vc
Published
May 18, 2021 6:36 PM
Last Modified
September 29, 2023 8:11 PM
CVSS Score
7.5 /10
Primary Ecosystem
Maven
Primary Package
org.xwiki.commons:xwiki-commons-core
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 24, 2025 6:07 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.