org.xwiki.commons:xwiki-commons-xml@14.10.4 vulnerabilities

latest version

16.10.1

latest non vulnerable version

16.10.1

first published

13 years ago

latest version published

16 days ago

licenses detected

LGPL-2.1
[0,)

package manager

View on Maven Repository

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.xwiki.commons:xwiki-commons-xml package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') due to allowing an attacker without `script` right to either create forms that can be used for phishing attacks or also in the context of a sheet. The attacker can add a malicious input that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form). Note: The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document. How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')? Upgrade `org.xwiki.commons:xwiki-commons-xml` to version 14.10.6, 15.2-rc-1 or higher.	[14.6-rc-1,14.10.6)[15.0-rc-1,15.2-rc-1)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') due to allowing an attacker without script right to either create forms that can be used for phishing attacks or also in the context of a sheet. The attacker can add a malicious input that would allow remote code execution when it is submitted by an admin (the sheet is rendered as part of the edit form).

Note:

The attacker would need to ensure that the edit form looks plausible, though, which can be non-trivial as without script right the attacker cannot display the regular content of the document.

How to fix Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')?

Upgrade org.xwiki.commons:xwiki-commons-xml to version 14.10.6, 15.2-rc-1 or higher.

[14.6-rc-1,14.10.6)[15.0-rc-1,15.2-rc-1)

Go back to all versions of this package