Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS13N3Y5LWZjNDktNHFnNM4AAyuq

org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability

Impact

Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter.

A proof of concept exploit is to open /xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where is the URL of your XWiki installation.

Patches

The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.

Workarounds

The issue can be fixed manually applying this patch.

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-w7v9-fc49-4qg4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13N3Y5LWZjNDktNHFnNM4AAyuq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: over 1 year ago


CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Percentage: 0.00315
EPSS Percentile: 0.71049

Identifiers: GHSA-w7v9-fc49-4qg4, CVE-2023-29211
References: Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki
Affected Version Ranges: >= 14.5, < 14.10, >= 14.0-rc-1, < 14.4.7, >= 5.3-milestone-2, < 13.10.11
Fixed in: 14.10, 14.4.7, 13.10.11