This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with `>`. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. XWiki Commons are technical libraries common to several other top level XWiki projects. As a workaround, users may hold group calls in private rooms where only the exact users who are expected to participate in the call are present. Affected versions do not restrict access to the user's outbound media in this case. This attack is possible because matrix-js-sdk's group call implementation accepts incoming direct calls from other users, even if they have not yet declared intent to participate in the group call, as a means of resolving a race condition in call setup. To affected matrix-js-sdk users, the attacker will not appear to be participating in the call. An attacker present in a room where an MSC3401 group call is taking place can eavesdrop on the video and audio of participants using matrix-js-sdk, without their knowledge. Matrix-js-sdk is the Matrix Client-Server SDK for JavaScript and TypeScript. For users unable to upgrade there are two possible workarounds: enable CDN handing of uploads (and ensure the CDN sanitizes SVG files) or disable SVG file uploads by ensuring that the `authorized extensions` site setting does not include `svg` (or reset that setting to the default, by default Discourse doesn't enable SVG uploads by users). This issue is patched in the latest stable and tests-passed versions of Discourse. Due to the improper sanitization of SVG files, an attacker can execute arbitrary JavaScript on the users’ browsers by uploading a crafted SVG file. There are no known workarounds for this vulnerability.ĭiscourse is an open source platform for community discussion. This has been patched in version 6.3.2 and above. If the targeted application contains a functionality to submit user-generated content (such as comments) the attacker could even distribute the URL using that functionality. This URL could be distributed via email to specifically target certain individuals. An attacker could create a working URL that renders a javascript link to a user on a Rails application that integrates Pay. In versions prior to 6.3.2 a payments info page of Pay is susceptible to reflected Cross-site scripting. Pay is a payments engine for Ruby on Rails 6.0 and higher.
0 Comments
Leave a Reply. |