CVE-2021-21380

描述

### Impact This issue impacts only XWiki with the Ratings API installed. The Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. ### Patches The problem has been patched in XWiki 12.9RC1. ### Workarounds The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager. ### References https://jira.xwiki.org/browse/XWIKI-17662 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](http://jira.xwiki.org) * Email us at our [security mailing list](mailto:[email protected])

如何修補 CVE-2021-21380

要修補 CVE-2021-21380,請將受影響套件升級到下列已修補版本。

• —升級至 12.9 或更新版本

CVE-2021-21380 正在被利用嗎?

低 — EPSS 為 3.3%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 12.9

CVSS 分數

參考連結(3)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-21380
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5
• WEBjira.xwiki.org/browse/XWIKI-17662