GoogleOSV:GHSA-36FM-J33W-C25FPrivilege escalation (PR)/RCE from account through class sheet
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.6%
Impact
It’s possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document.
Steps to Reproduce:
- Edit your user profile with the object editor and add an object of type
DocumentSheetBindingwith valueDefault Class Sheet - Edit your user profile with the wiki editor and add the syntax
{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} - Click “Save & View”
Expected result:
An error is displayed as the user doesn’t have the right to execute the Groovy macro.
Actual result:
The text “Hello from groovy!” is displayed at the top of the document.
Patches
This has been patched in XWiki 15.0-rc-1 and 14.10.4.
Workarounds
There are no known workarounds for it.
References
https://jira.xwiki.org/browse/XWIKI-20566
https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Related
9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
59.6%