GHSA-m3jr-cvhj-f35j

Suggest an improvement
Source
https://github.com/advisories/GHSA-m3jr-cvhj-f35j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-m3jr-cvhj-f35j/GHSA-m3jr-cvhj-f35j.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m3jr-cvhj-f35j
Aliases
Published
2023-04-12T20:38:17Z
Modified
2023-11-08T04:12:17.332404Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
org.xwiki.commons:xwiki-commons-xml Cross-site Scripting vulnerability
Details

Impact

The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped <script> and <style>-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like <iframe>. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). An example are anonymous comments in XWiki where the HTML macro filters HTML using restricted mode:

{{html}}
<a href='' onclick='alert(1)'>XSS</a>
{{/html}}

When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance.

Patches

This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode.

Workarounds

There are no known workarounds apart from upgrading to a version including the fix.

References

  • https://github.com/xwiki/xwiki-commons/commit/b11eae9d82cb53f32962056b5faa73f3720c6182 - the patch with the filter
  • https://github.com/xwiki/xwiki-commons/commit/4a185e0594d90cd4916d60aa60bb4333dc5623b2 - the patch with the definitions what is allowed
  • https://jira.xwiki.org/browse/XWIKI-9118 - the security issue with the HTML macro
  • https://jira.xwiki.org/browse/XCOMMONS-1680 - the issue regarding a definition of what is allowed HTML
  • https://jira.xwiki.org/browse/XCOMMONS-2426 - the issue regarding the filter that fixes the security issue

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at XWiki Security mailing-list

Database specific 
{
    "nvd_published_at": "2023-04-15T15:15:00Z",
    "github_reviewed_at": "2023-04-12T20:38:17Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Maven / org.xwiki.commons:xwiki-commons-xml

Package

Name
org.xwiki.commons:xwiki-commons-xml
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.commons/xwiki-commons-xml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2-milestone-1
Fixed
14.6-rc-1

Affected versions

4.*

4.2-milestone-1
4.2-milestone-2
4.2-milestone-3
4.2-rc-1
4.2
4.3-milestone-1
4.3-milestone-2
4.3-rc-1
4.3
4.3.1
4.4-rc-1
4.4
4.4.1
4.5-milestone-1
4.5-rc-1
4.5
4.5.1
4.5.2
4.5.3

5.*

5.0-milestone-1
5.0-milestone-2
5.0-rc-1
5.0
5.0.1
5.0.2
5.0.3
5.1-milestone-1
5.1-milestone-2
5.1-rc-1
5.1
5.2-milestone-1
5.2-milestone-2
5.2-rc-1
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.3-milestone-1
5.3-milestone-2
5.3-rc-1
5.3
5.4-milestone-1
5.4-rc-1
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7

6.*

6.0-milestone-1
6.0-milestone-2
6.0-rc-1
6.0
6.0.1
6.1-milestone-1
6.1-milestone-2
6.1-rc-1
6.1
6.2-milestone-1
6.2-milestone-2
6.2-rc-1
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.3-milestone-1
6.3-milestone-2
6.3-rc-1
6.3
6.4-milestone-1
6.4-milestone-2
6.4-milestone-3
6.4-rc-1
6.4
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8

7.*

7.0-milestone-1
7.0-milestone-2
7.0-rc-1
7.0
7.0.1
7.1-milestone-1
7.1-milestone-2
7.1-rc-1
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2-milestone-1
7.2-milestone-2
7.2-milestone-3
7.2-rc-1
7.2
7.3-milestone-1
7.3-rc-1
7.3
7.4-milestone-1
7.4-milestone-2
7.4-rc-1
7.4
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6

8.*

8.0-milestone-1
8.0-milestone-2
8.0-rc-1
8.0
8.1-milestone-1
8.1-milestone-2
8.1-rc-1
8.1
8.2-milestone-1
8.2-milestone-2
8.2-rc-1
8.2
8.2.1
8.2.2
8.3-milestone-2
8.3-rc-1
8.3
8.4-rc-1
8.4
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6

9.*

9.0-rc-1
9.0
9.1-rc-1
9.1
9.1.1
9.1.2
9.2-rc-1
9.2
9.3-rc-1
9.3
9.3.1
9.4-rc-1
9.4
9.5-rc-1
9.5
9.5.1
9.6-rc-1
9.6
9.7-rc-1
9.7
9.8-rc-1
9.8
9.8.1
9.9-rc-1
9.9-rc-2
9.9
9.10-rc-1
9.10
9.10.1
9.11-rc-1
9.11
9.11.1
9.11.2
9.11.3
9.11.4
9.11.5
9.11.6
9.11.7
9.11.8
9.11.9

10.*

10.0
10.1-rc-1
10.1
10.2
10.3
10.4-rc-1
10.4
10.5-rc-1
10.5
10.6-rc-1
10.6
10.6.1
10.7-rc-1
10.7
10.7.1
10.8-rc-1
10.8
10.8.1
10.8.2
10.8.3
10.9
10.10-rc-1
10.10
10.11-rc-1
10.11
10.11.1
10.11.2
10.11.3
10.11.4
10.11.5
10.11.6
10.11.7
10.11.8
10.11.9
10.11.10
10.11.11

11.*

11.0
11.0.1
11.0.2
11.0.3
11.1-rc-1
11.1
11.2-rc-1
11.2
11.3-rc-1
11.3
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6
11.3.7
11.4-rc-1
11.4
11.5-rc-1
11.5
11.6-rc-1
11.6
11.6.1
11.7-rc-1
11.7
11.8-rc-1
11.8
11.8.1
11.9
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
11.10.7
11.10.8
11.10.10
11.10.11
11.10.12
11.10.13

12.*

12.0-rc-1
12.0
12.1-rc-1
12.1
12.2
12.2.1
12.3-rc-1
12.3
12.4-rc-1
12.4
12.5-rc-1
12.5
12.5.1
12.6
12.6.1
12.6.2
12.6.3
12.6.4
12.6.5
12.6.6
12.6.7
12.6.8
12.7-rc-1
12.7
12.7.1
12.8-rc-1
12.8
12.9-rc-1
12.9
12.10
12.10.1
12.10.2
12.10.3
12.10.4
12.10.5
12.10.6
12.10.7
12.10.8
12.10.9
12.10.10
12.10.11

13.*

13.0
13.1-rc-1
13.1
13.2-rc-1
13.2
13.3-rc-1
13.3
13.4-rc-1
13.4
13.4.1
13.4.2
13.4.3
13.4.4
13.4.5
13.4.6
13.4.7
13.5-rc-1
13.5
13.6-rc-1
13.6
13.7-rc-1
13.7
13.8-rc-1
13.8
13.9-rc-1
13.9
13.10-rc-1
13.10
13.10.1
13.10.2
13.10.3
13.10.4
13.10.5
13.10.6
13.10.7
13.10.8
13.10.9
13.10.10
13.10.11

14.*

14.0-rc-1
14.0
14.1-rc-1
14.1
14.2-rc-1
14.2
14.2.1
14.3-rc-1
14.3
14.3.1
14.4-rc-1
14.4
14.4.1
14.4.2
14.4.3
14.4.4
14.4.5
14.4.6
14.4.7
14.4.8
14.5