ghsa-7654-vfh6-rw6x
Vulnerability from github
Published
2023-12-16 00:35
Modified
2023-12-16 00:35
Severity ?
Summary
Remote code execution from account through SearchAdmin
Details

Impact

The search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user.

To reproduce, edit any document with the object editor, add an object of type XWiki.UIExtensionClass, set "Extension Point Id" to org.xwiki.platform.search, set "Extension ID" to {{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from extension id succeeded!"){{/groovy}}{{/async}}, set "Extension Parameters" to label={{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from label succeeded!"){{/groovy}}{{/async}} and "Extension Scope" to "Current User". Then open the page XWiki.SearchAdmin, e.g., on http://localhost:8080/xwiki/bin/view/XWiki/SearchAdmin. If there are error log messages in XWiki's log that announce that attacks succeeded, the instance is vulnerable.

Patches

The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1.

Workarounds

The patch can be manually applied to the page XWiki.SearchAdmin.

References

  • https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766
  • https://jira.xwiki.org/browse/XWIKI-21200
Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5-rc-1"
            },
            {
              "fixed": "14.10.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0-rc-1"
            },
            {
              "fixed": "15.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.6-rc-1"
            },
            {
              "fixed": "15.7-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-16T00:35:25Z",
    "nvd_published_at": "2023-12-15T19:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThe search administration interface doesn\u0027t properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user\u0027s profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user.\n\nTo reproduce, edit any document with the object editor, add an object of type `XWiki.UIExtensionClass`, set \"Extension Point Id\" to `org.xwiki.platform.search`, set \"Extension ID\" to `{{async}}{{groovy}}services.logging.getLogger(\"attacker\").error(\"Attack from extension id succeeded!\"){{/groovy}}{{/async}}`, set \"Extension Parameters\" to `label={{async}}{{groovy}}services.logging.getLogger(\"attacker\").error(\"Attack from label succeeded!\"){{/groovy}}{{/async}}` and \"Extension Scope\" to \"Current User\". Then open the page `XWiki.SearchAdmin`, e.g., on http://localhost:8080/xwiki/bin/view/XWiki/SearchAdmin. If there are error log messages in XWiki\u0027s log that announce that attacks succeeded, the instance is vulnerable.\n\n\n### Patches\nThe necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1.\n\n### Workarounds\nThe [patch](https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766#diff-2272c913e5ca43813e52f8fa748c9b043bf0f01561908d7eba6ca3601d8475c4) can be manually applied to the page `XWiki.SearchAdmin`.\n\n### References\n* https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766\n* https://jira.xwiki.org/browse/XWIKI-21200",
  "id": "GHSA-7654-vfh6-rw6x",
  "modified": "2023-12-16T00:35:25Z",
  "published": "2023-12-16T00:35:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7654-vfh6-rw6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50721"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-21200"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Remote code execution from account through SearchAdmin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.