Lucene search

GitHub Advisory DatabaseGHSA-F776-W9V2-7VFJ

HistoryOct 17, 2023 - 2:19 a.m.

XWiki Change Request Application UI XSS and remote code execution through change request title

2023-10-1702:19:16

CWE-79

GitHub Advisory Database

github.com

xwiki

change request

xss

remote code execution

vulnerability

patches

workarounds

jira

commit

security advisory

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS

0.003

Percentile

72.0%

JSON

Impact

It’s possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request.
This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.

Patches

The vulnerability has been fixed in Change Request 1.9.2.

Workarounds

It’s possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4.

References

JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298
Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

Thanks Michael Hamann for the report.

Affected configurations

Vulners

Node

org.xwiki.contrib.changerequestapplication-changerequest-uiRange0.11–1.9.2

VendorProductVersionCPE
org.xwiki.contrib.changerequestapplication-changerequest-ui*cpe:2.3:a:org.xwiki.contrib.changerequest:application-changerequest-ui:*:*:*:*:*:*:*:*