Lucene search

K
githubGitHub Advisory DatabaseGHSA-4F8M-7H83-9F6M
HistoryAug 23, 2023 - 8:37 p.m.

XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action

2023-08-2320:37:04
CWE-352
GitHub Advisory Database
github.com
8
xwiki
csrf
privilege escalation
rce
vulnerability
patch
remote code execution
xwiki syntax
tokenization
integrity
availability.

CVSS3

9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

0.002

Percentile

56.1%

Impact

The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. To reproduce, the XWiki syntax [[image:path:/xwiki/bin/create/Foo/WebHome?template=&parent=Main.WebHome&title=$services.logging.getLogger(%22foo%22).error(%22Script%20executed!%22)]] can be added to any place that supports XWiki syntax like a comment. When a user with script right views this image and a log message ERROR foo - Script executed! appears in the log, the XWiki installation is vulnerable.

Patches

This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation.

Workarounds

There are no known workarounds.

References

Affected configurations

Vulners
Node
org.xwiki.platformxwiki-platform-oldcoreRange15.0-rc-115.4-rc-1
OR
org.xwiki.platformxwiki-platform-oldcoreRange3.2-milestone-314.10.9
VendorProductVersionCPE
org.xwiki.platformxwiki-platform-oldcore*cpe:2.3:a:org.xwiki.platform:xwiki-platform-oldcore:*:*:*:*:*:*:*:*

CVSS3

9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS

0.002

Percentile

56.1%

Related for GHSA-4F8M-7H83-9F6M