GHSA-9hqh-fmhg-vq2j
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9hqh-fmhg-vq2j
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-9hqh-fmhg-vq2j/GHSA-9hqh-fmhg-vq2j.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9hqh-fmhg-vq2j
- Aliases
- Published
- 2022-11-21T22:34:57Z
- Modified
- 2023-11-08T04:10:36.058116Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml
- Details
-
Impact
Any user with the right to edit his personal page can follow one of the scenario below:
Scenario 1: - Log in as a simple user with just edit rights on the user profile - Go to the user's profile - Upload an attachment in the attachment tab at the bottom of the page (any image is fine) - Click on "rename" in the attachment list and enter
{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.pngas new attachment name and submit the rename - Go back to the user profile - Click on the edit icon on the user avatar -Hello from groovy!is displayed as the title of the attachmentScenario 2: - Log in as a simple user with just edit rights on a page - Create a Page
MyPage.WebHome- Create an XClass field of type String namedavatar- Add an XObject of typeMyPage.WebHomeon the page - Insert anattachmentSelectormacro in the document with the following values: - classname:MyPage.WebHome- property:avatar- savemode:direct- displayImage:true- width:]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}. You'll find below a snippet of anattachmentSelectormacro declaration. - Display the page - Use the attachment picker to select an image -Hello from groovyis displayed aside the imageExample of an
attachmentSelectormacro declaration:`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`Note: The issue can also be reproduced by inserting the dangerous payload in the
heightoraltmacro properties.Patches
The issue can be fixed on a running wiki by updating
XWiki.AttachmentSelectorwith the versions below:- 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
- 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
- 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
Workarounds
No known workaround.
References
- https://jira.xwiki.org/browse/XWIKI-19800
For more information
If you have any questions or comments about this advisory: - Open an issue in Jira XWiki.org - Email us at Security Mailing List
- Database specific
{ "nvd_published_at": "2022-11-23T19:15:00Z", "github_reviewed_at": "2022-11-21T22:34:57Z", "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-95" ] }- References
Affected packages
Maven / org.xwiki.platform:xwiki-platform-attachment-ui
Package
- Name
- org.xwiki.platform:xwiki-platform-attachment-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui
Maven / org.xwiki.platform:xwiki-platform-attachment-ui
Package
- Name
- org.xwiki.platform:xwiki-platform-attachment-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui