XWiki Platform 安全漏洞(CVE-2023-35156)

admin

0
文章

0
评论

2023-11-29 22:58:41 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 XWiki Platform 安全漏洞(CVE-2023-35156)

CVE编号

CVE-2023-35156

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-06-24

漏洞描述

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.

解决建议

"将组件 org.xwiki.platform:xwiki-platform-flamingo-skin-resources 升级至 15.1 及以上版本""将组件 org.xwiki.platform:xwiki-platform-flamingo-skin-resources 升级至 14.10.6 及以上版本"

参考链接
https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d...
https://github.com/xwiki/xwiki-platform/commit/24ec12890ac7fa6daec8d0b3435cfc...
https://github.com/xwiki/xwiki-platform/commit/e80d22d193df364b07bab792557272...
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-834c-x29c-f42c
https://jira.xwiki.org/browse/XWIKI-20341
https://jira.xwiki.org/browse/XWIKI-20583
https://jira.xwiki.org/browse/XWIKI-20672

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	xwiki	xwiki	*	From (including) 6.0.1	Up to (excluding) 14.10.6
	运行在以下环境
	应用	xwiki	xwiki	15.0	-
	运行在以下环境
	应用	xwiki	xwiki	6.0	-