Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS13N3Y5LWZjNDktNHFnNM4AAyuq
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
Impact
Any user with view rights WikiManager.DeleteWiki
can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId
url parameter.
A proof of concept exploit is to open /xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where is the URL of your XWiki installation.
Patches
The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.
Workarounds
The issue can be fixed manually applying this patch.
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13N3Y5LWZjNDktNHFnNM4AAyuq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Percentage: 0.00315
EPSS Percentile: 0.71049
Identifiers: GHSA-w7v9-fc49-4qg4, CVE-2023-29211
References:
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4
- https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64
- https://jira.xwiki.org/browse/XWIKI-20297
- https://nvd.nist.gov/vuln/detail/CVE-2023-29211
- https://github.com/advisories/GHSA-w7v9-fc49-4qg4
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
Affected Version Ranges: >= 14.5, < 14.10, >= 14.0-rc-1, < 14.4.7, >= 5.3-milestone-2, < 13.10.11Fixed in: 14.10, 14.4.7, 13.10.11