XWiki 2.5-m-1 < 14.4.8, 14.5 < 14.10.6, 15.0-rc-1 < 15.2-rc-1 Privilege Escalation Vulnerability (GHSA-7954-6m9q-gpvf)

2023-08-2800:00:00

plugins.openvas.org

xwiki

privilege escalation

vulnerability

ghsa-7954-6m9q-gpvf

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

7.3 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.8%

JSON

Xwiki is prone to a privilege escalation vulnerability.

# SPDX-FileCopyrightText: 2023 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:xwiki:xwiki";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.124419");
  script_version("2023-10-13T16:09:03+0000");
  script_tag(name:"last_modification", value:"2023-10-13 16:09:03 +0000 (Fri, 13 Oct 2023)");
  script_tag(name:"creation_date", value:"2023-08-28 08:15:22 +0000 (Mon, 28 Aug 2023)");
  script_tag(name:"cvss_base", value:"9.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_tag(name:"severity_origin", value:"NVD");
  script_tag(name:"severity_date", value:"2023-08-24 17:14:00 +0000 (Thu, 24 Aug 2023)");

  script_cve_id("CVE-2023-37914");

  script_tag(name:"qod_type", value:"remote_banner");

  script_tag(name:"solution_type", value:"VendorFix");

  script_name("XWiki 2.5-m-1 < 14.4.8, 14.5 < 14.10.6, 15.0-rc-1 < 15.2-rc-1 Privilege Escalation Vulnerability (GHSA-7954-6m9q-gpvf)");

  script_category(ACT_GATHER_INFO);

  script_copyright("Copyright (C) 2023 Greenbone AG");
  script_family("Web application abuses");
  script_dependencies("gb_xwiki_enterprise_detect.nasl");
  script_mandatory_keys("xwiki/detected");

  script_tag(name:"summary", value:"Xwiki is prone to a privilege escalation vulnerability.");

  script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");

  script_tag(name:"insight", value:"Any user who can view Invitation.WebHome can execute arbitrary
  script macros including Groovy and Python macros that allow remote code execution including
  unrestricted read and write access to all wiki contents. This can be reproduced with the
  following");

  script_tag(name:"affected", value:"XWiki version 2.5-m-1 prior to 14.4.8, 14.5 prior to
  14.10.6 and 15.0-rc-1 prior to 15.2-rc-1.");

  script_tag(name:"solution", value:"Update to version 14.4.8, 14.10.6, 15.2-rc-1 or later.");

  script_xref(name:"URL", value:"https://github.com/advisories/GHSA-7954-6m9q-gpvf");

  exit(0);
}

include("host_details.inc");
include("version_func.inc");

if( ! port = get_app_port( cpe:CPE ) )
  exit( 0 );

if( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:TRUE ) )
  exit( 0 );

version = infos["version"];
location = infos["location"];

if( version_in_range_exclusive( version:version, test_version_lo:"2.5-m-1", test_version_up:"14.4.8" ) ) {
  report = report_fixed_ver( installed_version:version, fixed_version:"14.4.8", install_path:location );
  security_message( port:port, data:report );
  exit( 0 );
}

if( version_in_range_exclusive( version:version, test_version_lo:"14.5", test_version_up:"14.10.6" ) ) {
  report = report_fixed_ver( installed_version:version, fixed_version:"14.10.6", install_path:location );
  security_message( port:port, data:report );
  exit( 0 );
}

if( version_in_range_exclusive( version:version, test_version_lo:"15.0-rc-1", test_version_up:"15.2-rc-1" ) ) {
  report = report_fixed_ver( installed_version:version, fixed_version:"15.2-rc-1", install_path:location );
  security_message( port:port, data:report );
  exit( 0 );
}

exit( 99 );