GHSA-3hjg-cghv-22ww

Source

https://github.com/advisories/GHSA-3hjg-cghv-22ww

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-3hjg-cghv-22ww/GHSA-3hjg-cghv-22ww.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-3hjg-cghv-22ww

Aliases

CVE-2023-29519

Published

2023-04-20T22:04:49Z

Modified

2023-11-08T04:12:20.078168Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

org.xwiki.platform:xwiki-platform-attachment-ui vulnerable to Code Injection

Details

Impact

A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki.

Patches

The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1.

Workarounds

The problem can be worked around by applying following changes directly in XWiki.AttachmentSelector page: https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1.

References

https://jira.xwiki.org/browse/XWIKI-20364
https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Database specific

{
    "nvd_published_at": "2023-04-19T00:15:08Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-20T22:04:49Z"
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-attachment-ui

Package

Name: org.xwiki.platform:xwiki-platform-attachment-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0-rc-1

Fixed

13.10.11

Maven / org.xwiki.platform:xwiki-platform-attachment-ui

Package

Name: org.xwiki.platform:xwiki-platform-attachment-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0-rc-1

Fixed

14.4.8

Maven / org.xwiki.platform:xwiki-platform-attachment-ui

Package

Name: org.xwiki.platform:xwiki-platform-attachment-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.5

Fixed

14.10.2