Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNzc2LXc5djItN3Zmas4AA2fh

XWiki Change Request Application UI XSS and remote code execution through change request title

Impact

It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request.
This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.

Patches

The vulnerability has been fixed in Change Request 1.9.2.

Workarounds

It's possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4.

References

For more information

If you have any questions or comments about this advisory:

Attribution

Thanks Michael Hamann for the report.

Permalink: https://github.com/advisories/GHSA-f776-w9v2-7vfj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNzc2LXc5djItN3Zmas4AA2fh
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 year ago
Updated: about 1 year ago


CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Percentage: 0.0051
EPSS Percentile: 0.7716

Identifiers: GHSA-f776-w9v2-7vfj, CVE-2023-45138
References: Repository: https://github.com/xwiki-contrib/application-changerequest
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.contrib.changerequest:application-changerequest-ui
Affected Version Ranges: >= 0.11, < 1.9.2
Fixed in: 1.9.2