GHSA-x2qm-r4wx-8gpg

Suggest an improvement
Source
https://github.com/advisories/GHSA-x2qm-r4wx-8gpg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-x2qm-r4wx-8gpg/GHSA-x2qm-r4wx-8gpg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x2qm-r4wx-8gpg
Aliases
Published
2023-03-03T22:51:02Z
Modified
2023-11-08T04:12:01.718825Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
Details

Impact

It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters form_token=1&action=create.

For instance: http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create will execute the following groovy code: println("hello from groovy!") on the server.

Patches

This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6.

Workarounds

It is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

References

  • https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284
  • https://jira.xwiki.org/browse/XWIKI-19757

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name
org.xwiki.platform:xwiki-platform-flamingo-theme-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.4
Fixed
13.10.10

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name
org.xwiki.platform:xwiki-platform-flamingo-theme-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0
Fixed
14.4.6

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name
org.xwiki.platform:xwiki-platform-flamingo-theme-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.5
Fixed
14.9-rc-1