GitHub Advisory DatabaseGHSA-HMM7-6PH9-8JF2org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting
8.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
0.001 Low
EPSS
Percentile
29.6%
Impact
A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.
For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.
{{liveData id="movies" properties="title,description"}}
{
"data": {
"count": 1,
"entries": [
{
"title": "Meet John Doe",
"url": "https://www.imdb.com/title/tt0033891/",
"description": "<img src />"
}
]
},
"meta": {
"propertyDescriptors": [
{
"id": "title",
"name": "Title",
"visible": true,
"displayer": {"id": "link", "propertyHref": "url"}
},
{
"id": "description",
"name": "Description",
"visible": true,
"displayer": "html"
}
]
}
}
{{/liveData}}
Patches
This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.
Workarounds
No known workaround.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at Security ML
Affected configurations
Related
8.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L
0.001 Low
EPSS
Percentile
29.6%