Skip to content

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

Critical severity GitHub Reviewed Published Nov 21, 2022 in xwiki/xwiki-platform • Updated Feb 3, 2023

Package

maven org.xwiki.platform:xwiki-platform-attachment-ui (Maven)

Affected versions

>= 5.0-milestone-1, < 13.10.7
>= 14.0.0, < 14.4.2

Patched versions

13.10.7
14.4.2

Description

Impact

Any user with the right to edit his personal page can follow one of the scenario below:

Scenario 1:

  • Log in as a simple user with just edit rights on the user profile
  • Go to the user's profile
  • Upload an attachment in the attachment tab at the bottom of the page (any image is fine)
  • Click on "rename" in the attachment list and enter {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png as new attachment name and submit the rename
  • Go back to the user profile
  • Click on the edit icon on the user avatar
  • Hello from groovy! is displayed as the title of the attachment

Scenario 2:

  • Log in as a simple user with just edit rights on a page
  • Create a Page MyPage.WebHome
  • Create an XClass field of type String named avatar
  • Add an XObject of type MyPage.WebHome on the page
  • Insert an attachmentSelector macro in the document with the following values:
    • classname: MyPage.WebHome
    • property: avatar
    • savemode: direct
    • displayImage: true
    • width: ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}. You'll find below a snippet of an attachmentSelector macro declaration.
  • Display the page
  • Use the attachment picker to select an image
  • Hello from groovy is displayed aside the image

Example of an attachmentSelector macro declaration:

`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`

Note: The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties.

Patches

The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below:

Workarounds

No known workaround.

References

For more information

If you have any questions or comments about this advisory:

References

@surli surli published to xwiki/xwiki-platform Nov 21, 2022
Published to the GitHub Advisory Database Nov 21, 2022
Reviewed Nov 21, 2022
Published by the National Vulnerability Database Nov 23, 2022
Last updated Feb 3, 2023

Severity

Critical
10.0
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2022-41928

GHSA ID

GHSA-9hqh-fmhg-vq2j

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.