9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
34.1%
In XWiki Platform, it’s possible to execute content with the right of any user if you can make this user follow a crafted URL. This is possible because edit action sets and thereby executes the page content without checking for a cross-site request forgert (CSRF) token.
To reproduce:
Get a user with programming rights to visit the URL <xwiki-host>/xwiki/bin/edit/Main/?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view
, where <xwiki-host>
is the URL of your XWiki installation. This can be done by embedding an image with this URL.
The text “Hello from Groovy!” is displayed in the page content, showing that the Groovy macro has been executed.
This has been patched in XWiki 14.10.7 and 15.2-RC-1.
There are no known workarounds for it.
If you have any questions or comments about this advisory:
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.7 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
34.1%