Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wNWY4LXFmMjQtMjRjas4AA36y

Velocity execution without script right through tree macro

Impact

It's possible to execute a Velocity script without script right through the document tree.

To reproduce:

As a user without script right, create a document, e.g., named Nasty Title
Set the document's title to $request.requestURI
Click "Save & View"
Reload the page in the browser

The navigation panel displays a document named with the current URL, showing that the Velocity code has been executed even though the user doesn't have script right.

Patches

This has been patched in XWiki 14.10.7 and 15.2RC1.

Workarounds

A possible workaround is to:

modify the page XWiki.DocumentTreeMacros
search for the code #set ($discard = $translatedDocument.setTitle($translatedDocument.title))
modify it into #set ($discard = $translatedDocument.setcomment(''))

References

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Permalink: https://github.com/advisories/GHSA-p5f8-qf24-24cj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wNWY4LXFmMjQtMjRjas4AA36y
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 5 months ago
Updated: 5 months ago

CVSS Score: 8.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Identifiers: GHSA-p5f8-qf24-24cj, CVE-2023-50732
References:

Repository: https://github.com/xwiki/xwiki-platform
Blast Radius: 1.0

Affected Packages

maven:org.xwiki.platform:xwiki-platform-index-tree-macro

Affected Version Ranges: >= 15.0-rc-1, < 15.2-rc-1, >= 8.3-rc-1, < 14.10.7
Fixed in: 15.2-rc-1, 14.10.7