Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13N3Y5LWZjNDktNHFnNM4AAyuq

org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability

Impact

Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter.

A proof of concept exploit is to open /xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where is the URL of your XWiki installation.

Patches

The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.

Workarounds

The issue can be fixed manually applying this patch.

If you have any questions or comments about this advisory:

• Open an issue in Jira XWiki.org
• Email us at Security Mailing List

Permalink: https://github.com/advisories/GHSA-w7v9-fc49-4qg4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13N3Y5LWZjNDktNHFnNM4AAyuq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: 12 months ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-w7v9-fc49-4qg4, CVE-2023-29211
References:

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4
• https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64
• https://jira.xwiki.org/browse/XWIKI-20297
• https://nvd.nist.gov/vuln/detail/CVE-2023-29211
• https://github.com/advisories/GHSA-w7v9-fc49-4qg4

Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages