|
Description
|
|
Sony has discovered two vulnerabilities in XWiki Enterprise, which can be exploited by malicious users to conduct script insertion attacks.
Input passed via the "XWiki.XWikiComments_comment" POST parameter to e.g. xwiki/bin/commentadd/Main/WebHome when posting a comment and "XWiki.XWikiUsers_0_company" POST parameter when editing a user's profile is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
The vulnerabilities are confirmed in version 3.4. Other versions may also be affected.
|
