CVE-2021-43841

Description

### Impact When using default XWiki configuration, it's possible for an attacker to upload an SVG containing a script executed when executing the download action on the file. ### Patches This problem has been patched so that the default configuration doesn't allow to display the SVG files in the browser. ### Workarounds This issue can be fixed without the patch by setting properly the configuration to download or display files, see: https://www.xwiki.org/xwiki/bin/view/Documentation/AdminGuide/Attachments#HAttachmentdisplayordownload ### References https://jira.xwiki.org/browse/XWIKI-18368 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)

How to fix CVE-2021-43841

To remediate CVE-2021-43841, upgrade the affected package to a fixed version below.

• —upgrade to 12.10.6 or later
• —upgrade to 13.3RC1 or later

Is CVE-2021-43841 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 12.10.6
• >= 13.0, < 13.3RC1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-43841
• WEBgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/5853d492b3a274db0d94d560e2a5ea988a271c62
• WEBgithub.com/xwiki/xwiki-platform/security/advisories/GHSA-9jq9-c2cv-pcrj