Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-43841

XWiki is a generic wiki platform offering runtime services for applications built on top of it. When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. This problem has been patched so that the default configuration doesn't allow to display the SVG files in the browser. Users are advised to update or to disallow uploads of SVG files.

Published

2022-02-04T23:15:11.957

Last Modified

2024-11-21T06:29:54.490

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.4 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:S/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: SINGLE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

6.8

Impact Score

2.9

Weaknesses

Type: Secondary
CWE-79
Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	xwiki	xwiki	< 12.10.6	Yes
Application	xwiki	xwiki	≤ 13.2	Yes

References

https://github.com/xwiki/xwiki-platform/commit/5853d492b3a274db0d94d560e2a5ea988a271c62 Patch, Third Party Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9jq9-c2cv-pcrj Third Party Advisory ([email protected])
https://jira.xwiki.org/browse/XWIKI-18368 Exploit, Patch, Vendor Advisory ([email protected])
https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HAttachmentdisplayordownload Vendor Advisory ([email protected])
https://github.com/xwiki/xwiki-platform/commit/5853d492b3a274db0d94d560e2a5ea988a271c62 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9jq9-c2cv-pcrj Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://jira.xwiki.org/browse/XWIKI-18368 Exploit, Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HAttachmentdisplayordownload Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)