-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-security-authentication-default | maven | >= 13.10.8, < 13.10.11 | 13.10.11 |
| org.xwiki.platform:xwiki-platform-security-authentication-default | maven | >= 14.4.3, < 14.4.7 | 14.4.7 |
| org.xwiki.platform:xwiki-platform-security-authentication-default | maven | >= 14.6, < 14.10 | 14.10 |
JavaJavaMiggo AIRoot Cause AnalysisThe pre-patch code in AuthenticationResourceReferenceHandler.java's handle method lacked validation of the wiki reference parameter. Attackers could inject malicious payloads in the wiki name segment of authenticate URLs (e.g., xwiki%22onload=%22alert(origin)%22) which would be directly reflected in HTML responses. The patch added a critical check using WikiDescriptorManager.exists() to validate wiki existence before processing, confirming that unvalidated input handling was the root cause. The XSS occurs because the malicious wiki name becomes part of the rendered template output without proper context-aware escaping.
Ongoing coverage of React2Shell