9.9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
0.005 Low
EPSS
Percentile
75.8%
Any user who can view Invitation.WebHome
can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps:
{{cache}}{{groovy}}new File("/tmp/exploit.txt").withWriter { out -> out.println("Attacked from invitation!"); }{{/groovy}}{{/cache}}
The vulnerability has been patched on XWiki 14.4.8, 15.2-rc-1, and 14.10.6.
The vulnerability can be patched manually by applying the patch on Invitation.InvitationCommon
and Invitation.InvitationConfig
.
If you have any questions or comments about this advisory: