GHSA-j2r6-r929-v6gf

Source

https://github.com/advisories/GHSA-j2r6-r929-v6gf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-j2r6-r929-v6gf/GHSA-j2r6-r929-v6gf.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j2r6-r929-v6gf

Aliases

CVE-2024-31985

Published

2024-04-10T17:14:12Z

Modified

2024-04-10T22:01:24Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator

Summary

XWiki Platform CSRF in the job scheduler

Details

Impact

It is possible to schedule/trigger/unschedule existing jobs by having an admin visit the Job Scheduler page through a predictable URL, for example by embedding such an URL in any content as an image.

To reproduce in an XWiki installation, open <xwiki-host>:/xwiki/bin/view/Scheduler/?do=trigger&which=Scheduler.NotificationEmailDailySender as a user with admin rights. If there is no error message that indicates the CSRF token is invalid, the installation is vulnerable.

Patches

The vulnerability has been fixed on XWiki 14.10.19, 15.5.5, and 15.9.

Workarounds

Modify the Scheduler.WebHome page following this patch.

References

https://jira.xwiki.org/browse/XWIKI-20851
https://github.com/xwiki/xwiki-platform/commit/f16ca4ef1513f84ce2e685d4a05d689bd3a2ab4c

Database specific

{
    "nvd_published_at": "2024-04-10T21:15:06Z",
    "cwe_ids": [
        "CWE-352"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T17:14:12Z"
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-scheduler-ui

Package

Name: org.xwiki.platform:xwiki-platform-scheduler-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1

Fixed

14.10.19

Maven / org.xwiki.platform:xwiki-platform-scheduler-ui

Package

Name: org.xwiki.platform:xwiki-platform-scheduler-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.0-rc-1

Fixed

15.5.4

Maven / org.xwiki.platform:xwiki-platform-scheduler-ui

Package

Name: org.xwiki.platform:xwiki-platform-scheduler-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-scheduler-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

15.6-rc-1

Fixed

15.9