Skip to content

RCE in Annotations

Critical
tmortagne published GHSA-h6f5-8jj5-cxhr Mar 1, 2023

Package

maven org.xwiki:platform:xwiki-platform-annotation-ui (Maven)

Affected versions

>= 2.3-milestone-1, < 13.10.11
>= 14.0-rc-1, < 14.4.7
>= 14.5, < 14.10-rc-1

Patched versions

13.10.11
14.4.7
14.10

Description

Impact

The annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document.

To reproduce: add an annotation with the content {{groovy}}print "hello"{{/groovy}} and click the yellow scare to get a display of the annotation inline.

The result is "hello" but it should be an error suggesting that it's not allowed to use the groovy macro.

Patches

This has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

Workarounds

There is no easy workaround except to upgrade.

References

https://jira.xwiki.org/browse/XWIKI-20360
https://jira.xwiki.org/browse/XWIKI-20384

For more information

If you have any questions or comments about this advisory:

Attribution

This vulnerability has been reported by René de Sain @renniepak.

Severity

Critical
9.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2023-26475

Weaknesses

Credits