GHSA-37m4-hqxv-w26g

Suggest an improvement
Source
https://github.com/advisories/GHSA-37m4-hqxv-w26g
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-37m4-hqxv-w26g/GHSA-37m4-hqxv-w26g.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-37m4-hqxv-w26g
Aliases
Published
2024-04-10T17:14:35Z
Modified
2024-04-10T22:01:32Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
XWiki Platform CSRF remote code execution through scheduler job's document reference
Details

Impact

By creating a document with a special crafted documented reference and an XWiki.SchedulerJobClass XObject, it is possible to execute arbitrary code on the server whenever an admin visits the scheduler page or the scheduler page is referenced, e.g., via an image in a comment on a page in the wiki.

To reproduce on an XWiki installation, click on this link to create a new document : <xwiki-host>/xwiki/bin/view/%22%3E%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%20context%3D%22request/parameters%22%7D%7D%7B%7Bvelocity%7D%7D%23evaluate%28%24request/eval%29/. Then, add to this document an object of type XWiki.SchedulerJobClass. Finally, as an admin, go to <xwiki-host>/xwiki/bin/view/Scheduler/?eval=$services.logging.getLogger(%22attacker%22).error(%22Hello%20from%20URL%20Parameter!%20I%20got%20programming:%20$services.security.authorization.hasAccess(%27programming%27)%22). If the logs contain ERROR attacker - Hello from URL Parameter! I got programming: true, the installation is vulnerable.

Patches

The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9.

Workarounds

Modify the Scheduler.WebHome page following this patch.

References

  • https://jira.xwiki.org/browse/XWIKI-21416
  • https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c
References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-scheduler-ui

Package

Name
org.xwiki.platform:xwiki-platform-scheduler-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.1
Fixed
14.10.19

Maven / org.xwiki.platform:xwiki-platform-scheduler-ui

Package

Name
org.xwiki.platform:xwiki-platform-scheduler-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
15.0-rc-1
Fixed
15.5.4

Maven / org.xwiki.platform:xwiki-platform-scheduler-ui

Package

Name
org.xwiki.platform:xwiki-platform-scheduler-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
15.6-rc-1
Fixed
15.9