CVE-2021-21380
Last modified
CVE-2021-21380 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. EPSS estimates a 1.34% chance of exploitation in the next 30 days.
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Xwiki | Xwiki | >= 6.4.1, <= 12.8 |
| Xwiki | Xwiki | 6.4 |
References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5Third Party Advisory
- https://jira.xwiki.org/browse/XWIKI-17662Issue Tracking, Vendor Advisory
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5Third Party Advisory
- https://jira.xwiki.org/browse/XWIKI-17662Issue Tracking, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-21380?
How severe is CVE-2021-21380?
How do I fix CVE-2021-21380?
Are you affected by CVE-2021-21380?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST