CVE-2021-43841
Cross-site Scripting by SVG upload in xwiki-platform
描述
### Impact When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. ### Patches This problem has been patched so that the default configuration doesn't allow to display the SVG files in the browser. ### Workarounds This issue can be fixed without the patch by setting properly the configuration to download or display files, see: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HAttachmentdisplayordownload ### References https://jira.xwiki.org/browse/XWIKI-18368 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])
如何修補 CVE-2021-43841
要修補 CVE-2021-43841,請將受影響套件升級到下列已修補版本。
- —升級至 12.10.6 或更新版本
- —升級至 13.3RC1 或更新版本
CVE-2021-43841 正在被利用嗎?
低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。
受影響套件(2)
- from 0, < 12.10.6
- >= 13.0, < 13.3RC1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.1 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N |