Lucene search

K
githubGitHub Advisory DatabaseGHSA-R5VH-GC3R-R24W
HistoryApr 10, 2024 - 5:14 p.m.

XWiki Platform CSRF remote code execution through the realtime HTML Converter API

2024-04-1017:14:59
CWE-352
GitHub Advisory Database
github.com
12
xwiki
platform
csrf
remote code execution
realtime html converter api
admin user
xwiki syntax
groovy
python
vulnerability
patch
xwiki 14.10.19
xwiki 15.5.4
xwiki 15.9
workaround
synchronization
editor
jira
github

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.3%

Impact

When the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by getting an admin user to either visit a crafted URL or to view an image with this URL that could be in a comment, the attacker can get the admin to execute arbitrary XWiki syntax including scripting macros with Groovy or Python code. This compromises the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on an XWiki installation, as an admin, click on <xwiki-host>/xwiki/bin/get/RTFrontend/ConvertHTML?wiki=xwiki&space=Main&page=WebHome&text=%7B%7Bvelocity%7D%7D%24logtool.error%28%22Hello%20from%20Velocity%20%21%22%29%7B%7B%2Fvelocity%7D%7D. If the error “Hello from Velocity!” gets logged then the installation is vulnerable.

Patches

This vulnerability has been patched in XWiki 14.10.19, 15.5.4 and 15.9.

Workarounds

Update RTFrontend.ConvertHTML following this patch.
This will, however, break some synchronization processes in the realtime editor, so upgrading should be the preferred way on installations where this editor is used.

References

Affected configurations

Vulners
Node
github_advisory_databaseorg.xwiki.platform\Matchxwiki-platform-realtime-ui
OR
github_advisory_databaseorg.xwiki.platform\Matchxwiki-platform-realtime-ui
OR
github_advisory_databaseorg.xwiki.platform\Matchxwiki-platform-realtime-ui
OR
github_advisory_databaseorg.xwiki.platform\Matchxwiki-platform-realtime-ui

9.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

7.8 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.3%

Related for GHSA-R5VH-GC3R-R24W