Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS05cjlqLTU3cmYtZjZ2as4AAu1f

XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form

Impact

It's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment.

For example, an attachment with name ><img src=1 onerror=alert(1)>.jpg will execute the alert.

Patches

This issue has been patched in XWiki 14.4RC1.

Workarounds

It is possible to fix the vulnerability by copying moveStep1.vm to webapp/xwiki/templates/moveStep1.vm and replace

#set($titleToDisplay = $services.localization.render('attachment.move.title', 
  [$attachment.name, $escapetool.xml($doc.plainTitle), $doc.getURL()]))

#set($titleToDisplay = $services.localization.render('attachment.move.title', [
  $escapetool.xml($attachment.name), 
  $escapetool.xml($doc.plainTitle), 
  $escapetool.xml($doc.getURL())
]))

See the corresponding patch.

References

https://jira.xwiki.org/browse/XWIKI-19667

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Permalink: https://github.com/advisories/GHSA-9r9j-57rf-f6vj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05cjlqLTU3cmYtZjZ2as4AAu1f
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: almost 2 years ago

CVSS Score: 8.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Identifiers: GHSA-9r9j-57rf-f6vj, CVE-2022-36097
References:

Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.platform:xwiki-platform-attachment-ui

Affected Version Ranges: >= 14.0-rc-1, < 14.4-rc-1
Fixed in: 14.4-rc-1