Skip to content

Privilege escalation to programming rights via user's first name

Critical
tmortagne published GHSA-8cw6-4r32-6r3h Mar 1, 2023

Package

maven org.xwiki.commons:xwiki-commons-xml (Maven)

Affected versions

>= 3.1-milestone-1

Patched versions

14.7-rc-1, 13.10.9, 14.4.4

Description

Impact

Any user can edit his own profile and inject code which is going to be executed with programming right.

Steps to reproduce:

  • Set your first name to
    {{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}}

The first name appears as interpreted "Hello from groovy" instead of the expected fully escaped "{{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}}".

The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using Apps Within Minutes that use a short text field.

Patches

The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1.

Workarounds

There are no other workarounds than upgrading XWiki or patching the xwiki-commons-xml JAR file.

References

For more information

If you have any questions or comments about this advisory:

Severity

Critical
9.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-26055

Weaknesses