Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS05aHFoLWZtaGctdnEyas4AAv_O

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

Impact

Any user with the right to edit his personal page can follow one of the scenario below:

Scenario 1:

• Log in as a simple user with just edit rights on the user profile
• Go to the user's profile
• Upload an attachment in the attachment tab at the bottom of the page (any image is fine)
• Click on "rename" in the attachment list and enter {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png as new attachment name and submit the rename
• Go back to the user profile
• Click on the edit icon on the user avatar
• Hello from groovy! is displayed as the title of the attachment

Scenario 2:

• Log in as a simple user with just edit rights on a page
• Create a Page MyPage.WebHome
• Create an XClass field of type String named avatar
• Add an XObject of type MyPage.WebHome on the page
• Insert an attachmentSelector macro in the document with the following values:
  • classname: MyPage.WebHome
  • property: avatar
  • savemode: direct
  • displayImage: true
  • width: ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}. You'll find below a snippet of an attachmentSelector macro declaration.
• Display the page
• Use the attachment picker to select an image
• Hello from groovy is displayed aside the image

Example of an attachmentSelector macro declaration:

`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`

Note: The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties.

Patches

The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below:

• 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
• 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
• 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23

Workarounds

No known workaround.

References

• https://jira.xwiki.org/browse/XWIKI-19800

For more information

If you have any questions or comments about this advisory:

• Open an issue in Jira XWiki.org
• Email us at Security Mailing List

Permalink: https://github.com/advisories/GHSA-9hqh-fmhg-vq2j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05aHFoLWZtaGctdnEyas4AAv_O
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-9hqh-fmhg-vq2j, CVE-2022-41928
References:

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9hqh-fmhg-vq2j
• https://nvd.nist.gov/vuln/detail/CVE-2022-41928
• https://jira.xwiki.org/browse/XWIKI-19800
• https://github.com/advisories/GHSA-9hqh-fmhg-vq2j

Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages