Skip to content

XSS in Filter Stream Converter Application

High
surli published GHSA-xjfw-5vv5-vjq2 May 31, 2022

Package

maven org.xwiki.platform:xwiki-platform-filter-ui (Maven)

Affected versions

>= 6.0-milestone-2, >= 5.4.4

Patched versions

12.10.11, 14.0-rc-1, 13.4.7, 13.10.3

Description

Impact

We found a possible XSS vector in the Filter.FilterStreamDescriptorForm wiki page related to pretty much all the form fields printed in the home page of the application.

Patches

The issue is patched in versions 12.10.11, 14.0-rc-1, 13.4.7, 13.10.3.

Workarounds

The easiest workaround is to edit the wiki page Filter.FilterStreamDescriptorForm (with wiki editor) and change the lines

          <input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$request.get($descriptorId)#else$descriptor.defaultValue#end"/>
        #else
          <input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$request.get($descriptorId)"#end/>

into

          <input type="text" id="$descriptorId" name="$descriptorId" value="#if($request.get($descriptorId))$escapetool.xml($request.get($descriptorId))#else$descriptor.defaultValue#end"/>
        #else
          <input type="text" id="$descriptorId" name="$descriptorId"#if($request.get($descriptorId))value="$escapetool.xml($request.get($descriptorId))"#end/>

References

For more information

If you have any questions or comments about this advisory:

Severity

High
7.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

CVE ID

CVE-2022-29258