From 88d4292255c2cb094982ab8f42645df67ea79a42 Mon Sep 17 00:00:00 2001 From: CVE Team Date: Wed, 9 Feb 2022 22:01:21 +0000 Subject: [PATCH] "-Synchronized-Data." --- 2022/0xxx/CVE-2022-0554.json | 18 ++++++++++++++++++ 2022/23xxx/CVE-2022-23617.json | 2 +- 2022/23xxx/CVE-2022-23622.json | 2 +- 2022/23xxx/CVE-2022-23631.json | 2 +- 4 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 2022/0xxx/CVE-2022-0554.json diff --git a/2022/0xxx/CVE-2022-0554.json b/2022/0xxx/CVE-2022-0554.json new file mode 100644 index 00000000000..a8e6d8f08e8 --- /dev/null +++ b/2022/0xxx/CVE-2022-0554.json @@ -0,0 +1,18 @@ +{ + "data_type": "CVE", + "data_format": "MITRE", + "data_version": "4.0", + "CVE_data_meta": { + "ID": "CVE-2022-0554", + "ASSIGNER": "cve@mitre.org", + "STATE": "RESERVED" + }, + "description": { + "description_data": [ + { + "lang": "eng", + "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided." + } + ] + } +} \ No newline at end of file diff --git a/2022/23xxx/CVE-2022-23617.json b/2022/23xxx/CVE-2022-23617.json index 55082e06ffe..275a980ca30 100644 --- a/2022/23xxx/CVE-2022-23617.json +++ b/2022/23xxx/CVE-2022-23617.json @@ -38,7 +38,7 @@ "description_data": [ { "lang": "eng", - "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no known workarounds for this issue.\n" + "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with edit right can copy the content of a page it does not have access to by using it as template of a new page. This issue has been patched in XWiki 13.2CR1 and 12.10.6. Users are advised to update. There are no known workarounds for this issue." } ] }, diff --git a/2022/23xxx/CVE-2022-23622.json b/2022/23xxx/CVE-2022-23622.json index 54036e1ed7c..bb34e3c45bf 100644 --- a/2022/23xxx/CVE-2022-23622.json +++ b/2022/23xxx/CVE-2022-23622.json @@ -41,7 +41,7 @@ "description_data": [ { "lang": "eng", - "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in the following conditions: 1. The wiki must be open to registration for anyone. 2. The wiki must be closed to view for Guest users or more specifically the XWiki.Registration page must be forbidden in View for guest user. A way to obtain the second condition is when administrators checked the \"Prevent unregistered users from viewing pages, regardless of the page rights\" box in the administration rights. This issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. There are two main ways for protecting against this vulnerability, the easiest and the best one is by applying a patch in the `registerinline.vm` template, the patch consists in checking the value of the xredirect field to ensure it matches: ``. If for some reason it's not possible to patch this file, another workaround is to ensure \"Prevent unregistered users from viewing pages, regardless of the page rights\" is not checked in the rights and apply a better right scheme using groups and rights on spaces." + "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions there is a cross site scripting (XSS) vector in the `registerinline.vm` template related to the `xredirect` hidden field. This template is only used in the following conditions: 1. The wiki must be open to registration for anyone. 2. The wiki must be closed to view for Guest users or more specifically the XWiki.Registration page must be forbidden in View for guest user. A way to obtain the second condition is when administrators checked the \"Prevent unregistered users from viewing pages, regardless of the page rights\" box in the administration rights. This issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3. There are two main ways for protecting against this vulnerability, the easiest and the best one is by applying a patch in the `registerinline.vm` template, the patch consists in checking the value of the xredirect field to ensure it matches: ``. If for some reason it's not possible to patch this file, another workaround is to ensure \"Prevent unregistered users from viewing pages, regardless of the page rights\" is not checked in the rights and apply a better right scheme using groups and rights on spaces." } ] }, diff --git a/2022/23xxx/CVE-2022-23631.json b/2022/23xxx/CVE-2022-23631.json index 8bfe2ccf0f6..0dca966ddde 100644 --- a/2022/23xxx/CVE-2022-23631.json +++ b/2022/23xxx/CVE-2022-23631.json @@ -35,7 +35,7 @@ "description_data": [ { "lang": "eng", - "value": "superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue.\n" + "value": "superjson is a program to allow JavaScript expressions to be serialized to a superset of JSON. In versions prior to 1.8.1 superjson allows input to run arbitrary code on any server using superjson input without prior authentication or knowledge. The only requirement is that the server implements at least one endpoint which uses superjson during request processing. This has been patched in superjson 1.8.1. Users are advised to update. There are no known workarounds for this issue." } ] },