Skip to content

Commit a0caeb8

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-wvqx-m5px-6cmp GHSA-xvmh-25jw-gmmm
1 parent 8ba6316 commit a0caeb8

2 files changed

Lines changed: 145 additions & 4 deletions

File tree

advisories/github-reviewed/2026/01/GHSA-wvqx-m5px-6cmp/GHSA-wvqx-m5px-6cmp.json

Lines changed: 116 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,116 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-wvqx-m5px-6cmp",
4+
"modified": "2026-01-23T16:28:45Z",
5+
"published": "2026-01-23T16:28:44Z",
6+
"aliases": [
7+
"CVE-2026-24128"
8+
],
9+
"summary": "XWiki Affected by Reflected Cross-Site Scripting (XSS) in Error Messages",
10+
"details": "### Impact\nA reflected cross site scripting (XSS) vulnerability in XWiki allows an attacker to execute arbitrary actions in XWiki with the rights of the victim if the attacker manages to trick a victim into visiting a crafted URL. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation.\n\n### Patches\nThis vulnerability has been patched in XWiki 17.8.0RC1, 17.4.5 and 16.10.12.\n\n### Workarounds\nThe [patch](https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf#diff-8f16efedd19baae025db602d8736a105bfd8f72676af2c935b8195a0c356ee71) can be applied manually, only a single line in `templates/logging_macros.vm` needs to be changed, no restart is required.\n\n### References\n* https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf\n* https://jira.xwiki.org/browse/XWIKI-23462\n\n### Attribution\n\nWe thank Mike Cole @mikecole-mg for discovering and reporting this vulnerability.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Maven",
21+
"name": "org.xwiki.platform:xwiki-platform-web-templates"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "7.0-milestone-2"
29+
},
30+
{
31+
"fixed": "16.10.12"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Maven",
40+
"name": "org.xwiki.platform:xwiki-platform-web-templates"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "17.0.0-rc-1"
48+
},
49+
{
50+
"fixed": "17.4.5"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Maven",
59+
"name": "org.xwiki.platform:xwiki-platform-web-templates"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "17.5.0-rc-1"
67+
},
68+
{
69+
"fixed": "17.8.0-rc-1"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "WEB",
79+
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf#diff-8f16efedd19baae025db602d8736a105bfd8f72676af2c935b8195a0c356ee71"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/xwiki/xwiki-platform"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12"
92+
},
93+
{
94+
"type": "WEB",
95+
"url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5"
96+
},
97+
{
98+
"type": "WEB",
99+
"url": "https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1"
100+
},
101+
{
102+
"type": "WEB",
103+
"url": "https://jira.xwiki.org/browse/XWIKI-23462"
104+
}
105+
],
106+
"database_specific": {
107+
"cwe_ids": [
108+
"CWE-79",
109+
"CWE-80"
110+
],
111+
"severity": "MODERATE",
112+
"github_reviewed": true,
113+
"github_reviewed_at": "2026-01-23T16:28:44Z",
114+
"nvd_published_at": null
115+
}
116+
}

advisories/unreviewed/2026/01/GHSA-xvmh-25jw-gmmm/GHSA-xvmh-25jw-gmmm.json renamed to advisories/github-reviewed/2026/01/GHSA-xvmh-25jw-gmmm/GHSA-xvmh-25jw-gmmm.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-xvmh-25jw-gmmm",
4-
"modified": "2026-01-23T06:31:25Z",
4+
"modified": "2026-01-23T16:29:02Z",
55
"published": "2026-01-23T06:31:25Z",
66
"aliases": [
77
"CVE-2025-67847"
88
],
9+
"summary": "Moodle affected by a code injection vulnerability",
910
"details": "A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "moodle/moodle"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"last_affected": "5.1.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -22,15 +43,19 @@
2243
{
2344
"type": "WEB",
2445
"url": "https://access.redhat.com/security/cve/CVE-2025-67847"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/moodle/moodle"
2550
}
2651
],
2752
"database_specific": {
2853
"cwe_ids": [
2954
"CWE-94"
3055
],
3156
"severity": "HIGH",
32-
"github_reviewed": false,
33-
"github_reviewed_at": null,
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-01-23T16:29:02Z",
3459
"nvd_published_at": "2026-01-23T05:16:24Z"
3560
}
3661
}

0 commit comments

Comments
 (0)