Privilege escalation (PR) from account through like LiveTableResults

Critical

manuelleduc published GHSA-rf8j-q39g-7xfm

Jun 20, 2023

Package

org.xwiki.platform:xwiki-platform-like-ui (Maven)

Affected versions

>= 12.9-rc-1

Patched versions

14.4.8, 14.10.6, 15.1

Description

Impact

Any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation.

Patches

The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1.

Workarounds

The vulnerability can be fixed by applying this patch.

On versions before 13.4-rc-1, the fix needs to be applied on XWiki.Like.Code.LiveTableResultPage.

References

The reported issue https://jira.xwiki.org/browse/XWIKI-20611, fixed by https://jira.xwiki.org/browse/XWIKI-19900
The patch 6ce2d04#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Severity

Critical

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H