GHSA-4wc6-hqv9-qc97

Suggest an improvement
Source
https://github.com/advisories/GHSA-4wc6-hqv9-qc97
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-4wc6-hqv9-qc97/GHSA-4wc6-hqv9-qc97.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4wc6-hqv9-qc97
Aliases
Published
2023-06-20T16:47:13Z
Modified
2023-11-08T04:12:50.377008Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
XWiki Platform vulnerable to stored cross-site scripting in ClassEditSheet page via name parameters
Details

Impact

A stored XSS can be exploited by users with edit rights by adding a AppWithinMinutes.FormFieldCategoryClass class on a page and setting the payload on the page title. Then, any user visiting /xwiki/bin/view/AppWithinMinutes/ClassEditSheet executes the payload.

See https://jira.xwiki.org/browse/XWIKI-20365 for me details.

Patches

The issue has been patched on XWiki 14.4.8, 14.10.4, and 15.0 ?

Workarounds

The issue can be fixed by updating AppWithinMinutes.ClassEditSheet with this patch.

References

  • https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302
  • https://jira.xwiki.org/browse/XWIKI-20365

For more information

If you have any questions or comments about this advisory:

Attribution

This vulnerability has been reported on Intigriti by René de Sain @renniepak.

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-appwithinminutes-ui

Package

Name
org.xwiki.platform:xwiki-platform-appwithinminutes-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.4.4
Fixed
14.4.8

Maven / org.xwiki.platform:xwiki-platform-appwithinminutes-ui

Package

Name
org.xwiki.platform:xwiki-platform-appwithinminutes-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.5
Fixed
14.10.4

Maven / org.xwiki.platform:xwiki-platform-appwithinminutes-ui

Package

Name
org.xwiki.platform:xwiki-platform-appwithinminutes-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-appwithinminutes-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
15.0-rc-1
Fixed
15.0