Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1oN2N3LTQ0dnAtanE3aM4AAz9y

XWiki Platform vulnerable to privilege escalation (PR) from account through TipsPanel

It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension.

To reproduce:

Add an object of type UIExtensionClass
Set "Extension Point ID" to org.xwiki.platform.help.tipsPanel
Set "Extension ID" to org.xwiki.platform.user.test (needs to be unique but otherwise doesn't matter)

Set "Extension Parameters" to

tip={{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}

Set "Extension Scope" to "Current User".
Click "Save & View"
Open the "Help.TipsPanel" document at /xwiki/bin/view/Help/TipsPanel where is the URL of your XWiki installation and press refresh repeatedly.

The groovy macro is executed, after the fix you get an error instead.

This has been patched in XWiki 15.1-rc-1 and 14.10.5.

There are no known workarounds for it.

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-h7cw-44vp-jq7h
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oN2N3LTQ0dnAtanE3aM4AAz9y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 3 months ago
Updated: 3 months ago

CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-h7cw-44vp-jq7h, CVE-2023-35166
References:

Versions: >= 15.0-rc-1, < 15.1-rc-1, >= 8.1-milestone-1, < 14.10.5
Fixed in: 15.1-rc-1, 14.10.5