Headline
CVE-2023-26474: Privilege escalation via properties with wiki syntax that are executed with the wrong author
XWiki Platform is a generic wiki platform. Starting in version 13.10, it’s possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.
Package
maven org.xwiki.platform:xwiki-platform-oldcore, org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven)
Affected versions
>= 13.10
Patched versions
13.10.11, 14.4.7, 14.10
Impact
It’s possible to use the right of an existing document content author to execute a text area property.
To reproduce:
As an admin with programming rights, create a new user without script or programming right.
Login with the freshly created user.
Insert the following text in source mode in the about section:
{{groovy}}println("hello from groovy!"){{/groovy}}Click “Save & View”
Patches
This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.
Workarounds
No known workaround.
References
https://jira.xwiki.org/browse/XWIKI-20373
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at Security ML
Related news
### Impact It's possible to use the right of an existing document content author to execute a text area property. To reproduce: * As an admin with programming rights, create a new user without script or programming right. * Login with the freshly created user. * Insert the following text in source mode in the about section: ``` {{groovy}}println("hello from groovy!"){{/groovy}} ``` * Click "Save & View" ### Patches This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. ### Workarounds No known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20373 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org/) * Email us at [Security ML](mailto:[email protected])