Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1obW03LTZwaDktOGpmMs4AAyuz

org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting

Impact

A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.

For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.

{{liveData id="movies" properties="title,description"}}
{
  "data": {
    "count": 1,
    "entries": [
      {
        "title": "Meet John Doe",
        "url": "https://www.imdb.com/title/tt0033891/",
        "description": "<img onerror='alert(1)' src='foo' />"
      }
    ]
  },
  "meta": {
    "propertyDescriptors": [
      {
        "id": "title",
        "name": "Title",
        "visible": true,
        "displayer": {"id": "link", "propertyHref": "url"}
      },
      {
        "id": "description",
        "name": "Description",
        "visible": true,
        "displayer": "html"
      }
    ]
  }
}
{{/liveData}}

Patches

This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

Workarounds

No known workaround.

References

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-hmm7-6ph9-8jf2
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1obW03LTZwaDktOGpmMs4AAyuz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 12 months ago


CVSS Score: 8.9
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Identifiers: GHSA-hmm7-6ph9-8jf2, CVE-2023-29508
References: Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.platform:xwiki-platform-livedata-macro
Affected Version Ranges: >= 14.9, < 14.10, >= 14.4, < 14.4.7, >= 13.10.10, < 13.10.11
Fixed in: 14.10, 14.4.7, 13.10.11