9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.004 Low
EPSS
Percentile
73.2%
Any user with edit rights on any document (e.g., the own user profile) can execute code with programming rights, leading to remote code execution by following these steps:
{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}
XWiki.TemplateProviderClass
(named “Template Provider Class”) to that document.?sheet=XWiki.AdminTemplatesSheet
to the URL.When the attack is successful, a template with name “Hello from groovy!” is displayed in the list while on fixed systems, the full title should be displayed.
This vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1.
The vulnerability can be fixed by patching the code in the affected XWiki document as shown in the patch.
If you have any questions or comments about this advisory: