Miggo Logo

CVE-2020-13654: Improper escaping in XWiki Platform

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.27825%
Published
2/9/2022
Updated
5/2/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.xwiki.platform:xwiki-platform-webmaven< 12.812.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in property display rendering as documented in XWIKI-17374. The PropertyDisplayer.display method is the core output mechanism for user-controlled properties. The JIRA ticket explicitly shows the XSS occurs in property display and links to escaping improvements in XMLUtils. While the exact code diff isn't available, the security advisory and JIRA analysis confirm the displayer's escaping was inadequate prior to 12.8.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

XWiki Pl*t*orm ***or* **.* mis**n*l*s *s**pin* in t** prop*rty *ispl*y*r.

Reasoning

T** vuln*r**ility m*ni**sts in prop*rty *ispl*y r*n**rin* *s *o*um*nt** in XWIKI-*****. T** `Prop*rty*ispl*y*r.*ispl*y` m*t*o* is t** *or* output m****nism *or us*r-*ontroll** prop*rti*s. T** JIR* ti*k*t *xpli*itly s*ows t** XSS o**urs in prop*rty *i