Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS13Y2c5LXBncXYteG01ds4AA-yA

XWiki Platform allows XSS through XClass name in string properties

Impact

Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript.
This requires social engineer to trick a user to follow the URL.

Reproduction steps

1. As a user without script or programming right, create a (non-terminal) document named " + alert(1) + " (the quotes need to be part of the name).
2. Edit the class.
3. Add a string property named "test".
4. Edit using the object editor and add an object of the created class
5. Get an admin to open <xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=edit where <xwiki-server> is the URL of your XWiki installation.

Patches

This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

Workarounds

We're not aware of any workaround except upgrading.

References

• https://jira.xwiki.org/browse/XWIKI-21810
• https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c

Permalink: https://github.com/advisories/GHSA-wcg9-pgqv-xm5v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS13Y2c5LXBncXYteG01ds4AA-yA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 3 months ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-wcg9-pgqv-xm5v, CVE-2024-43400
References:

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wcg9-pgqv-xm5v
• https://nvd.nist.gov/vuln/detail/CVE-2024-43400
• https://github.com/xwiki/xwiki-platform/commit/27eca8423fc1ad177518077a733076821268509c
• https://jira.xwiki.org/browse/XWIKI-21810
• https://github.com/advisories/GHSA-wcg9-pgqv-xm5v

Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages