Headline
CVE-2023-29521: Privilege escalation (PR) from account/view through VFS Tree macro
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of Macro.VFSTreeMacro. This page is not installed by default.This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Steps to reproduce:
Add
{{vfsTree root="~" /~}~} {{cache id=~"vfs-macro-content~"~}~}{{groovy~}~}println(~"Hello from Groovy!~"){{/groovy~}~}{{/cache~}~}"/}}
to any place where you can use wiki syntax like the “about” section in your user profile as a user without programming or script rights.
Expected result:
An empty VFS Tree or some error is displayed.
Actual result:
The output
The [tree] macro is a standalone macro and it cannot be used inline. Click on this message for details. Hello from Groovy!" reference="path:/xwiki/bin/get/XWiki/username?sheet=Macros.VFSTreeJSON&outputSyntax=plain" links="true"/}}
is displayed. This shows that the Groovy macro has been executed and thus programming rights have been gained. This is because the VFS Tree macro allows XWiki syntax injection through the root parameter.
Note that the VFS Tree macro, while being part of xwiki-platform, is not bundled with XWiki and thus this issue cannot be exploited on a default installation of XWiki.
Related news
### Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Macro.VFSTreeMacro`. This page is not installed by default. See https://jira.xwiki.org/browse/XWIKI-20260 for the reproduction steps. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12) on `Macro.VFSTreeMacro`. ### References - https://jira.xwiki.org/browse/XWIKI-20260 - https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])