Platform
java
Component
org.xwiki.platform:xwiki-platform-oldcore
Fixed in
12.6.4
12.6.5
12.6.3
CVE-2021-29459 is a critical Cross-Site Scripting (XSS) vulnerability affecting XWiki Platform Oldcore versions before 12.6.3. This vulnerability allows attackers to persistently inject malicious scripts into the XWiki application. Successful exploitation can lead to session hijacking, disclosure of sensitive data, Cross-Site Request Forgery (CSRF) attacks, and even account takeover, particularly if the victim possesses administrative privileges. The vulnerability is fixed in version 12.6.3.
The impact of CVE-2021-29459 is significant due to the persistent nature of the injected scripts and the wide range of potential attack vectors. Unregistered users can inject scripts by simply filling text fields, while registered users can inject scripts into their personal information or static lists (if they have edit rights). This allows attackers to execute arbitrary JavaScript code within the context of a victim's browser session. A successful attack could result in the attacker stealing session cookies, impersonating the victim, and performing actions on their behalf. In scenarios where the victim has administrative privileges, the attacker could gain complete control over the XWiki instance, potentially leading to data breaches, system compromise, and further malicious activity. This vulnerability shares similarities with other persistent XSS vulnerabilities, where the injected script remains stored on the server and can affect multiple users.
CVE-2021-29459 was publicly disclosed on April 22, 2021. The vulnerability's criticality and ease of exploitation make it a potential target for automated scanning and exploitation campaigns. While no active exploitation campaigns have been definitively confirmed, the vulnerability's presence on public vulnerability databases increases the risk of exploitation. The CVSS score of 9.6 (CRITICAL) reflects the high likelihood of successful exploitation and the significant potential impact. It is not listed on CISA KEV as of this writing.
Exploit Status
EPSS
0.42% (62% percentile)
CVSS Vector
The primary mitigation for CVE-2021-29459 is to upgrade XWiki Platform Oldcore to version 12.6.3 or later. If an immediate upgrade is not possible, consider implementing temporary workarounds such as strict input validation and output encoding on all user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can also provide a layer of protection. Regularly review XWiki's security advisories and apply any recommended security patches. Monitor XWiki logs for suspicious activity, such as unusual script execution or unexpected user behavior. After upgrading, confirm the fix by attempting to inject a simple script into a text field and verifying that it is not executed.
Actualice XWiki Platform a la versión 12.6.3 o superior, o a la versión 12.8 o superior. Esto solucionará la vulnerabilidad de Cross-Site Scripting (XSS) que permite la inyección persistente de scripts. La actualización es la única solución recomendada.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-29459 is a critical XSS vulnerability in XWiki Platform Oldcore allowing attackers to inject scripts, potentially leading to session hijacking and data theft.
You are affected if you are using XWiki Platform Oldcore versions prior to 12.6.3. Upgrade immediately to mitigate the risk.
Upgrade XWiki Platform Oldcore to version 12.6.3 or later. Implement input validation and WAF rules as temporary workarounds if an upgrade is not immediately possible.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's criticality makes it a potential target. Monitor your systems closely.
Refer to the official XWiki security advisory: https://www.xwiki.com/xwiki/bin/view/Main/SecurityAdvisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.