#mac

### Impact It's possible to execute a script with the right of another user (provided the target user does not have programming right). For example, the following: ``` {{context document="xwiki:XWiki.userwithscriptright" transformationContext="document"}}{{velocity}}Hello from Velocity!{{/velocity}}{{/context}} ``` written by a user not having script right (for example in the user's profile) should produce an error (the user is not allowed to write scripts). However, because of the vulnerability, if the author of the document "xwiki:XWiki.userwithscriptright" has script right (but not programming right) the script will be executed with as if it was written by the target user. ### Patches The problem has been patched in XWiki 14.8RC1, 14.4.5 and 13.10.10. ### Workarounds There's no workaround for this issue. ### References https://jira.xwiki.org/browse/XWIKI-19856 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](htt...

### Impact A user without script rights can introduce a stored XSS by using the Live Data macro. For instance: ``` {{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}} ``` ### Patches This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. ### Workarounds No known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20143 ### For more information If you have any questions or comments about this advisory:...

### Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters `form_token=1&action=create`. For instance: [http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create](http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?**newThemeName**=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create) will execute the following groovy code: `println("hello from groovy!")` on the server. ### Patches This has be...

### Impact Comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled) but the async macro is not taking into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin as in: {{async}} {{groovy}}println "it works !"{{/groovy}} {{/async}} ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds The only known workaround consists in applying [the following patch](https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006) and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`. ### References * https://jira.xwiki.org/browse/XWIKI-20234 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:security@xwiki.org)

### Impact One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content: ``` }}} {{async async="true"}} {{groovy}} println("Hello from Groovy!") {{/groovy}} {{/async}} {{{ ``` Can be done by creating a new page or even through the user profile for users not having edit right. ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds An easy workaround is to actually fix the bug in the page `IconThemesCode.IconThemeSheet` by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45 ### References https://jira.xwiki.org/browse/XWIKI-19731 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:security@xwiki.org)

### Impact Users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. ### Patches The issue is applied on versions 14.7-rc-1, 13.4.4, and 13.10.9. ### Workarounds The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, and 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`. ### References - Jira: https://jira.xwiki.org/browse/XWIKI-19949 - Patch: https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8 ### For more information If you have any questions or comments about this advisory: - Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) - Email us at [Security Mailing List](mailto:security@xwiki.org)

In OpenBSD 7.2, a TCP packet with destination port 0 that matches a pf divert-to rule can crash the kernel.

Directus is a real-time API and App dashboard for managing SQL database content. Directus is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls by performing a DNS rebinding attack and view sensitive data from internal servers or perform a local port scan. An attacker can exploit this vulnerability to access highly sensitive internal server(s) and steal sensitive information. This issue was fixed in version 9.23.0.

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Feb. 24 and March 3. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

A mayor backing Polish opposition elections in parliament has been targeted by special services with Pegasus spyware.