[MAVEN:GHSA-H353-HC43-95VC] Script injection without script or programming rights through Gadget titles

Severity High

Affected Packages 2

Fixed Packages 2

CVEs 1

A user without Script or Programming right is able to execute script requiring privileges by editing gadget titles in the dashboard.

The issue has been patched in XWiki 12.6.7, 12.10.3 and 13.0RC1.

There's no easy workaround for this issue, it is recommended to upgrade XWiki.

If you have any questions or comments about this advisory:
* Open an issue in JIRA
* Email us at XWiki security mailing-list

Package	Affected Version
pkg:maven/org.xwiki.commons/xwiki-commons-core	>= 12.10.0, < 12.10.3
pkg:maven/org.xwiki.commons/xwiki-commons-core	< 12.6.7

Package	Fixed Version
pkg:maven/org.xwiki.commons/xwiki-commons-core	= 12.10.3
pkg:maven/org.xwiki.commons/xwiki-commons-core	= 12.6.7

Source	# ID	Name	URL
			https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h353-hc43-95vc
			https://jira.xwiki.org/browse/XWIKI-17794
			https://nvd.nist.gov/vuln/detail/CVE-2021-32621
			https://github.com/xwiki/xwiki-platform/commit/bb7068bd911f91e5511f3cfb03276c7ac81100bc
			https://jay-from-future.github.io/cve/2021/06/17/xwiki-rce-cve.html
			https://github.com/advisories/GHSA-h353-hc43-95vc

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.xwiki.commons/xwiki-commons-core	org.xwiki.commons	xwiki-commons-core	>= 12.10.0 < 12.10.3
Fixed	pkg:maven/org.xwiki.commons/xwiki-commons-core	org.xwiki.commons	xwiki-commons-core	= 12.10.3
Affected	pkg:maven/org.xwiki.commons/xwiki-commons-core	org.xwiki.commons	xwiki-commons-core	< 12.6.7
Fixed	pkg:maven/org.xwiki.commons/xwiki-commons-core	org.xwiki.commons	xwiki-commons-core	= 12.6.7

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date