Headline
CVE-2023-35150: XWIKI-20285: Improve escaping of the Invitation Application · xwiki/xwiki-platform@b65220a
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8.
@@ -0,0 +1,87 @@ <?xml version="1.0" encoding="UTF-8"?>
<!-- * See the NOTICE file distributed with this work for additional * information regarding copyright ownership. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, write to the Free * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * 02110-1301 USA, or see the FSF site: http://www.fsf.org. -->
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> <modelVersion>4.0.0</modelVersion> <parent> <groupId>org.xwiki.platform</groupId> <artifactId>xwiki-platform-index</artifactId> <version>15.1-SNAPSHOT</version> </parent> <artifactId>xwiki-platform-index-default</artifactId> <name>XWiki Platform - Index - Default</name> <description>Default implementation of the API to queue asynchronous tasks dedicated to the analysis of wiki pages.</description> <packaging>jar</packaging> <properties> <xwiki.jacoco.instructionRatio>0.84</xwiki.jacoco.instructionRatio> <!-- Name to display by the Extension Manager --> <xwiki.extension.name>Default implementation of the Index API</xwiki.extension.name> </properties> <dependencies> <dependency> <groupId>org.xwiki.platform</groupId> <artifactId>xwiki-platform-index-api</artifactId> <version>${project.version}</version> </dependency> <dependency> <groupId>org.xwiki.commons</groupId> <artifactId>xwiki-commons-component-api</artifactId> <version>${commons.version}</version> </dependency> <dependency> <groupId>org.xwiki.platform</groupId> <artifactId>xwiki-platform-oldcore</artifactId> <version>${project.version}</version> </dependency> <!-- Test dependencies. --> <dependency> <groupId>org.xwiki.commons</groupId> <artifactId>xwiki-commons-tool-test-component</artifactId> <version>${commons.version}</version> <scope>test</scope> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <scope>test</scope> </dependency> </dependencies> <build> <plugins> <plugin> <!-- Apply the Checkstyle configurations defined in the top level pom.xml file --> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-checkstyle-plugin</artifactId> <executions> <execution> <!-- Specify the “default” execution id so that the “blocker” one is always executed --> <id>default</id> <configuration> <failsOnError>true</failsOnError> <suppressionsLocation>${basedir}/src/checkstyle/checkstyle-suppressions.xml</suppressionsLocation> </configuration> </execution> </executions> </plugin> </plugins> </build> </project>
Related news
### Impact Any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. See the example below: Open `<xwiki-host>/xwiki/bin/view/%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=Invitation.InvitationGuestActions&xpage=view` where `<xwiki-host>` is the URL of your XWiki installation. ### Patches The problem as been patching on XWiki 15.0, 14.10.4 and 14.4.8. ### Workarounds It is possible to partially fix the issue by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a). Note that some additional issue can remain and can be fixed automatically by a migration. Hence, it is advised to upgrade to one of the patched version instead of patching manually. ### Refere...