Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oMnJtLTI5Y2gtd2ZtaM4AA2gS

XWiki Identity Oauth Privilege escalation (PR)/remote code execution from login screen through unescaped URL parameter

Impact

When login via the OAuth method, the identityOAuth parameters, sent in a GET request is vulnerable to XSS and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation.

The vulnerability is in this part of the code.

Patches

The issue has been fixed in Identity OAuth version 1.6 by https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6 . The fix is in the content of the IdentityOAuth/LoginUIExtension file

Workarounds

There are no known workarounds besides upgrading.

References

Are there any links users can visit to find out more?

Original report: https://jira.xwiki.org/browse/XWIKI-20719

Permalink: https://github.com/advisories/GHSA-h2rm-29ch-wfmh
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oMnJtLTI5Y2gtd2ZtaM4AA2gS
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 7 months ago
Updated: 6 months ago

CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Identifiers: GHSA-h2rm-29ch-wfmh, CVE-2023-45144
References:

Repository: https://github.com/xwikisas/identity-oauth
Blast Radius: 1.0

Affected Packages

maven:com.xwiki.identity-oauth:identity-oauth-ui

Affected Version Ranges: >= 1.0, < 1.6
Fixed in: 1.6