Headline
CVE-2023-35166: Privilege escalation (PR) from account through TipsPanel
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It’s possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5.
Steps to reproduce:
As a user without script or programming rights, edit your user profile with the object editor (enable the advanced user type first if necessary).
Add an object of type UIExtensionClass
Set “Extension Point ID” to org.xwiki.platform.help.tipsPanel
Set “Extension ID” to org.xwiki.platform.user.test (needs to be unique but otherwise doesn’t matter)
Set “Extension Parameters” to
tip={{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + “from groovy!”){{/groovy}}{{/async}}
Set “Extension Scope” to "Current User".
Click “Save & View”
Open the “Help.TipsPanel” document at <xwiki-host>/xwiki/bin/view/Help/TipsPanel where <xwiki-host> is the URL of your XWiki installation and press refresh repeatedly.
Expected result:
Either, the provided tip is never displayed, or the entered tip is displayed as-is or an error that the user cannot execute Groovy macros is displayed.
Actual result:
At some point, “Hello from groovy!” is displayed. As the displayed tip is selected randomly, this may need many refreshes. This shows that the Groovy macro has been executed and thus demonstrates a privilege escalation from a simple user account to programming rights.
Related news
### Impact It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. To reproduce: * Add an object of type UIExtensionClass * Set "Extension Point ID" to org.xwiki.platform.help.tipsPanel * Set "Extension ID" to org.xwiki.platform.user.test (needs to be unique but otherwise doesn't matter) * Set "Extension Parameters" to ``` tip={{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} ``` * Set "Extension Scope" to "Current User". * Click "Save & View" * Open the "Help.TipsPanel" document at <xwiki-host>/xwiki/bin/view/Help/TipsPanel where <xwiki-host> is the URL of your XWiki installation and press refresh repeatedly. The groovy macro is executed, after the fix you get an error instead. ### Patches This has been patched in XWiki 15.1-rc-1 and 14.10.5. ### Workarounds There are no known workarounds for it. ### References * https://jira.xwiki....