Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03NjU0LXZmaDYtcnc2eM4AA328
Remote code execution from account through SearchAdmin
Impact
The search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user.
To reproduce, edit any document with the object editor, add an object of type XWiki.UIExtensionClass, set "Extension Point Id" to org.xwiki.platform.search, set "Extension ID" to {{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from extension id succeeded!"){{/groovy}}{{/async}}, set "Extension Parameters" to label={{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from label succeeded!"){{/groovy}}{{/async}} and "Extension Scope" to "Current User". Then open the page XWiki.SearchAdmin, e.g., on http://localhost:8080/xwiki/bin/view/XWiki/SearchAdmin. If there are error log messages in XWiki's log that announce that attacks succeeded, the instance is vulnerable.
Patches
The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1.
Workarounds
The patch can be manually applied to the page XWiki.SearchAdmin.
References
- https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766
- https://jira.xwiki.org/browse/XWIKI-21200
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03NjU0LXZmaDYtcnc2eM4AA328
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 11 months ago
Updated: 11 months ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-7654-vfh6-rw6x, CVE-2023-50721
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7654-vfh6-rw6x
- https://nvd.nist.gov/vuln/detail/CVE-2023-50721
- https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766
- https://jira.xwiki.org/browse/XWIKI-21200
- https://github.com/advisories/GHSA-7654-vfh6-rw6x
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-search-ui
Affected Version Ranges: >= 15.6-rc-1, < 15.7-rc-1, >= 15.0-rc-1, < 15.5.2, >= 4.5-rc-1, < 14.10.15Fixed in: 15.7-rc-1, 15.5.2, 14.10.15