GHSA-cv55-v6rw-7r5v

Source

https://github.com/advisories/GHSA-cv55-v6rw-7r5v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-cv55-v6rw-7r5v/GHSA-cv55-v6rw-7r5v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cv55-v6rw-7r5v

Aliases

CVE-2024-31987

Published

2024-04-10T17:14:47Z

Modified

2024-04-10T22:01:40Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

XWiki Platform remote code execution from account via custom skins support

Details

Impact

Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution.

To reproduce, as a user without edit, script or admin right, add an object of class XWiki.XWikiSkins to your profile. Name it whatever you want and set the Base Skin to flamingo. Add an object of class XWikiSkinFileOverrideClass and set the path to macros.vm and the content to:

#macro(mediumUserAvatar $username)
  #resizedUserAvatar($username 50)
  $services.logging.getLogger('Skin').error("I got programming: $services.security.authorization.hasAccess('programming')")
#end

Back to your profile, click Test this skin. Force a refresh, just in case. If the error "Skin - I got programming: true" gets logged, the installation is vulnerable.

Patches

This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1.

Workarounds

We're not aware of any workaround except upgrading.

References

https://jira.xwiki.org/browse/XWIKI-21478
https://github.com/xwiki/xwiki-platform/commit/3d4dbb41f52d1a6e39835cfb1695ca6668605a39 (>= 15.8 RC1)
https://github.com/xwiki/xwiki-platform/commit/da177c3c972e797d92c1a31e278f946012c41b56 (< 15.8 RC1)

Database specific

{
    "nvd_published_at": "2024-04-10T21:15:07Z",
    "cwe_ids": [
        "CWE-862"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T17:14:47Z"
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4-milestone-1

Fixed

14.10.19

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0-rc-1

Fixed

15.5.4

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name: org.xwiki.platform:xwiki-platform-oldcore; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.6-rc-1

Fixed

15.10-rc-1