Improper Input Validation Affecting org.xwiki.platform:xwiki-platform-tag-ui package, versions [0,13.10.6) [14.0-rc-1,14.5)
Proof of concept
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
9 Sep 2022
9 Sep 2022
How to fix?
org.xwiki.platform:xwiki-platform-tag-ui to version 13.10.6, 14.5 or higher.
Affected versions of this package are vulnerable to Improper Input Validation via the tags document
Main.Tags, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights.
Users who are not able to update to the fixed versions manually apply the patch that fixes the issue to the document
Main.Tags, or the updated version of that document can be imported from version 14.4 of
xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.