Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10.
Remediation
References
Related Vulnerabilities
MySQL CVE-2024-21231 Vulnerability (CVE-2024-21231)
WordPress Plugin Testimonial WordPress-AP Custom Testimonial Unspecified Vulnerability (1.4.7)
Perl Improper Link Resolution Before File Access ('Link Following') Vulnerability (CVE-1999-1386)
WordPress Plugin Font-official webfonts plugin of Fonts For Web Cross-Site Scripting (7.5.1)