Skip to content

Rating Script Service expose XWiki to SQL injection

High
surli published GHSA-79rg-7mv3-jrr5 Mar 19, 2021

Package

maven org.xwiki.platform:xwiki-platform-ratings-api,org.xwiki.contrib:application-ratings (Maven)

Affected versions

[6.4-milestone-3 - 12.9RC1]

Patched versions

12.9RC1

Description

Impact

This issue impacts only XWiki with the Ratings API installed.
The Rating Script Service expose an API to perform SQL requests without escaping the from and where search arguments.
This might lead to an SQL script injection quite easily for any user having Script rights on XWiki.

Patches

The problem has been patched in XWiki 12.9RC1.

Workarounds

The only workaround besides upgrading XWiki would be to uninstall the Ratings API in XWiki from the Extension Manager.

References

https://jira.xwiki.org/browse/XWIKI-17662

For more information

If you have any questions or comments about this advisory:

Severity

High
7.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

CVE ID

CVE-2021-21380

Weaknesses