1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-VMHH-XH3G-J992

[MAVEN:GHSA-VMHH-XH3G-J992] Cross-site Scripting in the Flamingo theme manager

Severity High
Affected Packages 3
Fixed Packages 3
CVEs 1
Info Packages References Vulnerabilities

Impact

We found a possible XSS vector in the FlamingoThemesCode.WebHomeSheet wiki page related to the "newThemeName" form field.

Patches

The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.

Workarounds

The easiest workaround is to edit the wiki page FlamingoThemesCode.WebHomeSheet (with wiki editor) and change the line


<input type="hidden" name="newThemeName" id="newThemeName" value="$request.newThemeName" />

into


<input type="hidden" name="newThemeName" id="newThemeName" value="$escapetool.xml($request.newThemeName)" />

References

For more information

If you have any questions or comments about this advisory:
* Open an issue in Jira XWiki
* Email us at security mailing list

Package Affected Version
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui >= 13.5.0, < 13.10.3
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui >= 13.0.0, < 13.4.7
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui < 12.10.11
Package Fixed Version
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui = 13.10.3
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui = 13.4.7
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui = 12.10.11
ID
MAVEN:GHSA-VMHH-XH3G-J992
Severity
high
URL
https://github.com/advisories/GHSA-vmhh-xh3g-j992
Published
2022-05-25T22:40:57
(2 years ago)
Modified
2023-01-27T05:03:23
(20 months ago)
Rights
Maven Security Team
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui org.xwiki.platform xwiki-platform-flamingo-theme-ui >= 13.5.0 < 13.10.3
Fixed pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui org.xwiki.platform xwiki-platform-flamingo-theme-ui = 13.10.3
Affected pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui org.xwiki.platform xwiki-platform-flamingo-theme-ui >= 13.0.0 < 13.4.7
Fixed pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui org.xwiki.platform xwiki-platform-flamingo-theme-ui = 13.4.7
Affected pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui org.xwiki.platform xwiki-platform-flamingo-theme-ui < 12.10.11
Fixed pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui org.xwiki.platform xwiki-platform-flamingo-theme-ui = 12.10.11
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date