Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qNTg0LWoydmotM2Y5M84AA9Pv

XWiki Platform allows remote code execution from user account

Impact

When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account.

To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add {{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}.
As an admin, go to the user profile and click the "Disable this account" button.
Then, reload the page. If the logs show attacker - Hello from Groovy! then the instance is vulnerable.

Patches

This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

Workarounds

We're not aware of any workaround except upgrading.

References

Permalink: https://github.com/advisories/GHSA-j584-j2vj-3f93
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qNTg0LWoydmotM2Y5M84AA9Pv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 3 months ago
Updated: 30 days ago

CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Identifiers: GHSA-j584-j2vj-3f93, CVE-2024-37899
References:

Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.platform:xwiki-platform-oldcore

Affected Version Ranges: >= 16.0.0-rc-1, < 16.0.0, >= 15.6-rc-1, < 15.10.6, >= 15.0-rc-1, < 15.5.5, >= 13.10.3, < 14.10.21, >= 13.4.7, < 13.5
Fixed in: 16.0.0, 15.10.6, 15.5.5, 14.10.21, 14.10.21