GHSA-36fm-j33w-c25f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-36fm-j33w-c25f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-36fm-j33w-c25f/GHSA-36fm-j33w-c25f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-36fm-j33w-c25f
- Aliases
- Published
- 2023-05-11T20:36:59Z
- Modified
- 2023-11-08T04:12:33.071882Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Privilege escalation (PR)/RCE from account through class sheet
- Details
-
Impact
It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document.
Steps to Reproduce:
- Edit your user profile with the object editor and add an object of type
DocumentSheetBindingwith valueDefault Class Sheet - Edit your user profile with the wiki editor and add the syntax
{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} - Click "Save & View"
Expected result:
An error is displayed as the user doesn't have the right to execute the Groovy macro.
Actual result:
The text "Hello from groovy!" is displayed at the top of the document.
Patches
This has been patched in XWiki 15.0-rc-1 and 14.10.4.
Workarounds
There are no known workarounds for it.
References
https://jira.xwiki.org/browse/XWIKI-20566 https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
- Edit your user profile with the object editor and add an object of type
- Database specific
{ "nvd_published_at": "2023-05-09T16:15:15Z", "cwe_ids": [ "CWE-863" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-05-11T20:36:59Z" }- References
Affected packages
Maven / org.xwiki.platform:xwiki-platform-test-ui
Package
- Name
- org.xwiki.platform:xwiki-platform-test-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-test-ui