GoogleOSV:GHSA-WCG9-PGQV-XM5VXWiki Platform allows XSS through XClass name in string properties
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.8%
Impact
Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript.
This requires social engineer to trick a user to follow the URL.
Reproduction steps
- As a user without script or programming right, create a (non-terminal) document named
" + alert(1) + "(the quotes need to be part of the name). - Edit the class.
- Add a string property named
"test". - Edit using the object editor and add an object of the created class
- Get an admin to open
<xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=editwhere<xwiki-server>is the URL of your XWiki installation.
Patches
This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
Workarounds
We’re not aware of any workaround except upgrading.
References
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
21.8%