GHSA-F776-W9V2-7VFJ

Vulnerability from github – Published: 2023-10-17 02:19 – Updated: 2023-10-17 02:19
VLAI?
Summary
XWiki Change Request Application UI XSS and remote code execution through change request title
Details

Impact

It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.

Patches

The vulnerability has been fixed in Change Request 1.9.2.

Workarounds

It's possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4.

References

  • JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298
  • Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

Thanks Michael Hamann for the report.

Severity ?
10.0 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.contrib.changerequest:application-changerequest-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.11"
            },
            {
              "fixed": "1.9.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-45138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-17T02:19:16Z",
    "nvd_published_at": "2023-10-12T17:15:09Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nIt\u0027s possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. \nThis vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.\n\n### Patches\n\nThe vulnerability has been fixed in Change Request 1.9.2. \n\n### Workarounds\n\nIt\u0027s possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4. \n\n### References\n\n  * JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298\n  * Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n\n### Attribution\n\nThanks Michael Hamann for the report.",
  "id": "GHSA-f776-w9v2-7vfj",
  "modified": "2023-10-17T02:19:16Z",
  "published": "2023-10-17T02:19:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki-contrib/application-changerequest/security/advisories/GHSA-f776-w9v2-7vfj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45138"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki-contrib/application-changerequest"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/CRAPP-298"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Change Request Application UI XSS and remote code execution through change request title"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.