Silverstripe silverstripe/framework through 4.11 allows XSS (issue 2 of 3).
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38146
https://forum.silverstripe.org/c/releases
https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstri…
Impact
A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process.
events.js:292
throw er; // Unhandled ‘error’ event
^
Error: read ECONNRESET
at TCP.onStreamRead (inter…
Impact
Another instance of CVE-2022-35935, where SobolSample is vulnerable to a denial of service via assumed scalar inputs, was found and fixed.
import tensorflow as tf
tf.raw_ops.SobolSample(dim=tf.constant([1,0]), num_results=tf.constant([1]), skip=…
Impact
Another instance of CVE-2022-35991, where TensorListScatter and TensorListScatterV2 crash via non scalar inputs inelement_shape, was found in eager mode and fixed.
import tensorflow as tf
arg_0=tf.random.uniform(shape=(2, 2, 2), dtype=tf.float16…
Impact
The application allow anyone with view access to modify any page of the wiki by importing a crafted XAR package.
Patches
The problem has been patched in XWiki 14.6RC1, 14.6 and 13.10.8.
Workarounds
The problem can be patched immediately by setti…
Impact
The modifications rest endpoint does not filter out entries according to the user’s rights.
Therefore, information hidden from unauthorized users are exposed though the modifications rest endpoint (e.g., comments, page names…).
Patches
Users …
Impact
User without the right to view documents can deduce their existence by repeated Livetable queries.
Reproduction steps
Restrict “view” access to Sandbox.TestPage3 by setting an explicit view right for admins
As a user who is not an admin, open &…
Impact
Any user with view rights on commonly accessible documents including the menu macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation due to improper escaping of the macro content and…
Impact
We discovered that when the reset a forgotten password feature of XWiki was used, the password was then stored in plain text in database. This only concerns XWiki 13.1RC1 and next versions.
Note that it only concerns the reset password feature a…
Impact
It’s possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form.
Patches
The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2.
Workarounds
The only workarounds …
