Vulnerability Details : CVE-2021-21380
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of XWiki Platform (and only those with the Ratings API installed), the Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments. This might lead to an SQL script injection quite easily for any user having Script rights on XWiki. The problem has been patched in XWiki 12.9RC1. The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager.
Vulnerability category: Sql Injection
Products affected by CVE-2021-21380
- cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
- cpe:2.3:a:xwiki:xwiki:6.4:-:*:*:*:*:*:*
- cpe:2.3:a:xwiki:xwiki:6.4:milestone3:*:*:*:*:*:*
- cpe:2.3:a:xwiki:xwiki:6.4:rc1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-21380
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 36 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-21380
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
NIST | |
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
7.7
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N |
3.1
|
4.0
|
GitHub, Inc. |
CWE ids for CVE-2021-21380
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2021-21380
-
https://jira.xwiki.org/browse/XWIKI-17662
[XWIKI-17662] Rating Script Service expose XWiki to SQL injection - XWiki.org JIRAIssue Tracking;Vendor Advisory
-
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-79rg-7mv3-jrr5
Rating Script Service expose XWiki to SQL injection · Advisory · xwiki/xwiki-platform · GitHubThird Party Advisory
Jump to