ghsa-9hqh-fmhg-vq2j
Vulnerability from github
Impact
Any user with the right to edit his personal page can follow one of the scenario below:
Scenario 1:
- Log in as a simple user with just edit rights on the user profile
- Go to the user's profile
- Upload an attachment in the attachment tab at the bottom of the page (any image is fine)
- Click on "rename" in the attachment list and enter {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png as new attachment name and submit the rename
- Go back to the user profile
- Click on the edit icon on the user avatar
- Hello from groovy! is displayed as the title of the attachment
Scenario 2:
- Log in as a simple user with just edit rights on a page
- Create a Page MyPage.WebHome
- Create an XClass field of type String named avatar
- Add an XObject of type MyPage.WebHome on the page
- Insert an attachmentSelector macro in the document with the following values:
- classname: MyPage.WebHome
- property: avatar
- savemode: direct
- displayImage: true
- width: ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}. You'll find below a snippet of an attachmentSelector macro declaration.
- Display the page
- Use the attachment picker to select an image
- Hello from groovy is displayed aside the image
Example of an attachmentSelector macro declaration:
`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`
Note: The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties.
Patches
The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below:
- 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
- 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
- 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
Workarounds
No known workaround.
References
- https://jira.xwiki.org/browse/XWIKI-19800
For more information
If you have any questions or comments about this advisory: - Open an issue in Jira XWiki.org - Email us at Security Mailing List
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-attachment-ui"
},
"ranges": [
{
"events": [
{
"introduced": "5.0-milestone-1"
},
{
"fixed": "13.10.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.platform:xwiki-platform-attachment-ui"
},
"ranges": [
{
"events": [
{
"introduced": "14.0.0"
},
{
"fixed": "14.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-41928"
],
"database_specific": {
"cwe_ids": [
"CWE-95"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-21T22:34:57Z",
"nvd_published_at": "2022-11-23T19:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAny user with the right to edit his personal page can follow one of the scenario below:\n\n**Scenario 1**:\n- Log in as a simple user with just edit rights on the user profile\n- Go to the user\u0027s profile\n- Upload an attachment in the attachment tab at the bottom of the page (any image is fine)\n- Click on \"rename\" in the attachment list and enter `{{async async=\"true\" cached=\"false\" context=\"doc.reference\"}}{{groovy}}println(\"Hello from groovy!\"){{/groovy}}{{/async}}.png` as new attachment name and submit the rename\n- Go back to the user profile\n- Click on the edit icon on the user avatar\n- `Hello from groovy!` is displayed as the title of the attachment\n\n**Scenario 2**:\n- Log in as a simple user with just edit rights on a page\n- Create a Page `MyPage.WebHome`\n- Create an XClass field of type String named `avatar`\n- Add an XObject of type `MyPage.WebHome` on the page\n- Insert an `attachmentSelector` macro in the document with the following values:\n - **classname**: `MyPage.WebHome`\n - **property**: `avatar`\n - **savemode**: `direct`\n - **displayImage**: `true`\n - **width**: `]] {{async async=\"true\" cached=\"false\" context=\"doc.reference\"}}{{groovy}}println(\"Hello from groovy!\"){{/groovy}}{{/async}}`. You\u0027ll find below a snippet of an `attachmentSelector` macro declaration.\n- Display the page\n- Use the attachment picker to select an image\n- `Hello from groovy` is displayed aside the image\n\nExample of an `attachmentSelector` macro declaration:\n```\n`{{attachmentSelector classname=\"MyPage.WebHome\" property=\"avatar\" savemode=\"direct\" displayImage=\"true\" width=\"]] {{async async=~\"true~\" cached=~\"false~\" context=~\"doc.reference~\"~}~}{{groovy~}~}println(~\"Hello from groovy!~\"){{/groovy~}~}{{/async~}~}\"/}}`\n```\n\n**Note**: The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties.\n\n### Patches\nThe issue can be fixed on a running wiki by updating `XWiki.AttachmentSelector` with the versions below:\n\n- 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23\n- 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23\n- 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23\n\n### Workarounds\nNo known workaround.\n\n### References\n- https://jira.xwiki.org/browse/XWIKI-19800\n\n### For more information\nIf you have any questions or comments about this advisory:\n- Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n- Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
"id": "GHSA-9hqh-fmhg-vq2j",
"modified": "2022-11-21T22:34:57Z",
"published": "2022-11-21T22:34:57Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9hqh-fmhg-vq2j"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41928"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-platform"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-19800"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027) in AttachmentSelector.xml"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.