{"containers": {"cna": {"affected": [{"product": "xwiki-platform", "vendor": "xwiki", "versions": [{"status": "affected", "version": "< 12.9"}]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "CWE-89 SQL Injection", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-23T22:45:15", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5"}, {"tags": ["x_refsource_MISC"], "url": "https://jira.xwiki.org/browse/XWIKI-17662"}], "source": {"advisory": "GHSA-79rg-7mv3-jrr5", "discovery": "UNKNOWN"}, "title": "Rating Script Service expose XWiki to SQL injection", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21380", "STATE": "PUBLIC", "TITLE": "Rating Script Service expose XWiki to SQL injection"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "xwiki-platform", "version": {"version_data": [{"version_value": "< 12.9"}]}}]}, "vendor_name": "xwiki"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-89 SQL Injection"}]}]}, "references": {"reference_data": [{"name": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5", "refsource": "CONFIRM", "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5"}, {"name": "https://jira.xwiki.org/browse/XWIKI-17662", "refsource": "MISC", "url": "https://jira.xwiki.org/browse/XWIKI-17662"}]}, "source": {"advisory": "GHSA-79rg-7mv3-jrr5", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.981Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jira.xwiki.org/browse/XWIKI-17662"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21380", "datePublished": "2021-03-23T22:45:15", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.981Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*", "matchCriteriaId": "8ED2FCAC-A009-4684-B9D0-F09DE16AD91D", "versionEndIncluding": "12.8", "versionStartIncluding": "6.4.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.4:-:*:*:*:*:*:*", "matchCriteriaId": "3E7F4275-7B1E-474A-BE3C-A6F169CD3CD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.4:milestone3:*:*:*:*:*:*", "matchCriteriaId": "34004E8E-213E-4D7F-A6BF-953A5A5C3CA6", "vulnerable": true}, {"criteria": "cpe:2.3:a:xwiki:xwiki:6.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "485ABFAB-BF8B-4093-9296-EA5F4AA4A804", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager."}, {"lang": "es", "value": "XWiki Platform es una plataforma wiki gen\u00e9rica que ofrece servicios en tiempo de ejecuci\u00f3n para aplicaciones creadas sobre ella.&#xa0;En las versiones afectadas de la plataforma XWiki (y solo aquellas con la API Ratings instalada), el Rating Script Service expone una API para llevar a cabo peticiones SQL sin escapar de los argumentos de b\u00fasqueda desde y d\u00f3nde.&#xa0;Esto podr\u00eda conllevar a una inyecci\u00f3n de Script SQL con bastante facilidad para cualquier usuario que tenga derechos de Script en XWiki.&#xa0;El problema ha sido parcheado en XWiki versi\u00f3n 12.9RC1.&#xa0;La \u00fanica soluci\u00f3n alternativa adem\u00e1s de actualizar XWiki ser\u00eda desinstalar la API Ratings en XWiki desde el Extension Manager"}], "id": "CVE-2021-21380", "lastModified": "2024-11-21T05:48:14.300", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-23T23:15:13.630", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-17662"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://jira.xwiki.org/browse/XWIKI-17662"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}