GHSA-VWR6-QP4Q-2WJ7

Vulnerability from github – Published: 2023-03-03 22:48 – Updated: 2023-03-03 22:48
VLAI?
Summary
XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile
Details

Impact

One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content:

}}}
{{async async="true"}}
{{groovy}}
  println("Hello from Groovy!")
{{/groovy}}
{{/async}}
{{{

Can be done by creating a new page or even through the user profile for users not having edit right.

Patches

This has been patched in XWiki 14.9, 14.4.6, and 13.10.10.

Workarounds

An easy workaround is to actually fix the bug in the page IconThemesCode.IconThemeSheet by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45

References

https://jira.xwiki.org/browse/XWIKI-19731

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira * Email us at Security ML

Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-icon-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.2-milestone-1"
            },
            {
              "fixed": "13.10.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-icon-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0"
            },
            {
              "fixed": "14.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-icon-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-116"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-03T22:48:57Z",
    "nvd_published_at": "2023-03-02T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\nOne can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content:\n\n```\n}}}\n{{async async=\"true\"}}\n{{groovy}}\n  println(\"Hello from Groovy!\")\n{{/groovy}}\n{{/async}}\n{{{\n```\n\nCan be done by creating a new page or even through the user profile for users not having edit right.\n\n### Patches\n\nThis has been patched in XWiki 14.9, 14.4.6, and 13.10.10.\n\n### Workarounds\n\nAn easy workaround is to actually fix the bug in the page `IconThemesCode.IconThemeSheet` by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45\n\n### References\n\nhttps://jira.xwiki.org/browse/XWIKI-19731\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira](http://jira.xwiki.org)\n* Email us at [Security ML](mailto:security@xwiki.org)\n",
  "id": "GHSA-vwr6-qp4q-2wj7",
  "modified": "2023-03-03T22:48:57Z",
  "published": "2023-03-03T22:48:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vwr6-qp4q-2wj7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26472"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-19731"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.