[MAVEN:GHSA-VMHH-XH3G-J992] Cross-site Scripting in the Flamingo theme manager
Severity
High
Affected Packages
3
Fixed Packages
3
CVEs
1
Impact
We found a possible XSS vector in the FlamingoThemesCode.WebHomeSheet
wiki page related to the "newThemeName" form field.
Patches
The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.
Workarounds
The easiest workaround is to edit the wiki page FlamingoThemesCode.WebHomeSheet
(with wiki editor) and change the line
<input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" />
into
<input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" />
References
- https://jira.xwiki.org/browse/XWIKI-19294
- https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437
For more information
If you have any questions or comments about this advisory:
* Open an issue in Jira XWiki
* Email us at security mailing list
Package | Affected Version |
---|---|
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | >= 13.5.0, < 13.10.3 |
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | >= 13.0.0, < 13.4.7 |
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | < 12.10.11 |
Package | Fixed Version |
---|---|
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | = 13.10.3 |
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | = 13.4.7 |
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | = 12.10.11 |
- ID
- MAVEN:GHSA-VMHH-XH3G-J992
- Severity
- high
- URL
- https://github.com/advisories/GHSA-vmhh-xh3g-j992
- Published
-
2022-05-25T22:40:57
(2 years ago) - Modified
-
2023-01-27T05:03:23
(20 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | org.xwiki.platform | xwiki-platform-flamingo-theme-ui | >= 13.5.0 < 13.10.3 | |||
Fixed | pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | org.xwiki.platform | xwiki-platform-flamingo-theme-ui | = 13.10.3 | |||
Affected | pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | org.xwiki.platform | xwiki-platform-flamingo-theme-ui | >= 13.0.0 < 13.4.7 | |||
Fixed | pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | org.xwiki.platform | xwiki-platform-flamingo-theme-ui | = 13.4.7 | |||
Affected | pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | org.xwiki.platform | xwiki-platform-flamingo-theme-ui | < 12.10.11 | |||
Fixed | pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui | org.xwiki.platform | xwiki-platform-flamingo-theme-ui | = 12.10.11 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |