GHSA-f776-w9v2-7vfj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-f776-w9v2-7vfj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-f776-w9v2-7vfj/GHSA-f776-w9v2-7vfj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-f776-w9v2-7vfj
- Aliases
- Published
- 2023-10-17T02:19:16Z
- Modified
- 2023-11-08T04:13:37.197628Z
- Severity
-
- 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- XWiki Change Request Application UI XSS and remote code execution through change request title
- Details
-
Impact
It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.
Patches
The vulnerability has been fixed in Change Request 1.9.2.
Workarounds
It's possible to workaround the issue without upgrading by editing the document
ChangeRequest.Code.ChangeRequestSheetand by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4.References
- JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298
- Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List
Attribution
Thanks Michael Hamann for the report.
- Database specific
{ "nvd_published_at": "2023-10-12T17:15:09Z", "cwe_ids": [ "CWE-79" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2023-10-17T02:19:16Z" }- References
-
- https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-f776-w9v2-7vfj
- https://nvd.nist.gov/vuln/detail/CVE-2023-45138
- https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4
- https://github.com/xwiki-contrib/application-changerequest
- https://jira.xwiki.org/browse/CRAPP-298
Affected packages
Maven / org.xwiki.contrib.changerequest:application-changerequest-ui
Package
- Name
- org.xwiki.contrib.changerequest:application-changerequest-ui
- View open source insights on deps.dev
- Purl
- pkg:maven/org.xwiki.contrib.changerequest/application-changerequest-ui