Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNzc2LXc5djItN3Zmas4AA2fh

XWiki Change Request Application UI XSS and remote code execution through change request title

Impact

It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request.
This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.

Patches

The vulnerability has been fixed in Change Request 1.9.2.

Workarounds

It's possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4.

References

JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298
Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

Thanks Michael Hamann for the report.

Permalink: https://github.com/advisories/GHSA-f776-w9v2-7vfj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNzc2LXc5djItN3Zmas4AA2fh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 6 months ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-f776-w9v2-7vfj, CVE-2023-45138
References:

Repository: https://github.com/xwiki-contrib/application-changerequest
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.contrib.changerequest:application-changerequest-ui

Affected Version Ranges: >= 0.11, < 1.9.2
Fixed in: 1.9.2