Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-45144: Improve escaping (#30) · xwikisas/identity-oauth@d805d31

com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on OAuth authorizations. When a user logs in via the OAuth method, the identityOAuth parameters sent in the GET request is vulnerable to cross site scripting (XSS) and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The issue has been fixed in Identity OAuth version 1.6. There are no known workarounds for this vulnerability and users are advised to upgrade.

CVE
#xss#vulnerability#mac#js#java#rce#oauth#auth

Expand Up @@ -21,42 +21,53 @@ #macro (initConfigObjects $configDocName $extraObjectClassPropPrefixes $translationPrefixesP) #set($formId = “${section.toLowerCase()}_${configDocName1}”) #set($configDoc = $xwiki.getDocument($configDocName))
#set($classNameIO="IdentityOAuth.IdentityOAuthConfigClass") #set($propNamePrefixIO="${configDoc.fullName}_${classNameIO}_0") #set($objIO = $configDoc.getObject($classNameIO))
## Handle translation prefixes. #set($translationPrefixes = []) #foreach($p in $translationPrefixesP) #set($nuts=$translationPrefixes.add($p)) #end #set($nuts=$translationPrefixes.add(‘IdentityOAuth.IdentityOAuthConfigClass_’))
## Handle extra class properties. #foreach($x in $extraObjectClassPropPrefixes) #set($shhh = $x.add($x[0])) #set($x[0] = $configDoc.getObject($x[0])) #end #end

## t: shorthand for translation ## ## Macros used in managing providers translations. t is for translation and tp for translation with parameters. ## #macro (alignWithTranslationPrefixes $name) #set($tn = []) #foreach($p in $translationPrefixes) #set($nuts=$tn.add(“${p}${name}”)) #end #end #macro (t $name) #macro (getTranslation $name $usage $translation) #alignWithTranslationPrefixes($name) $services.localization.render($tn) #if ($usage == ‘js’) #set ($translation = $escapetool.javascript($services.localization.render($tn))) #else #set ($translation = $escapetool.xml($services.localization.render($tn))) #end #end
## tp: shorthand for translation with parameters #macro (tp $name $params)## ## Display translation. #macro (t $name $usage) #getTranslation($name $usage $translation) $translation #end ## Get translation with parameters. #macro (tp $name $params $usage $translation) #alignWithTranslationPrefixes($name) #set ($msg = $services.localization.render($tn,$params))## ## convert to <a href="link">link-text</a> for the simple wiki syntax of links $stringtool.replacePattern($msg, '\[\[([^>]*)>>([^\]]*)\]\]', ‘<a href="$2">$1</a>’)## #set ($msg = $services.localization.render($tn, $params))## #if ($usage == ‘js’) #set ($translation = $escapetool.javascript($msg)) #else #set ($translation = $escapetool.xml($msg)) #end #end
## displayInput: displays the form element of the relevant property of the object having removed the Expand Down Expand Up @@ -93,7 +104,8 @@ // absUrl: $absUrl #set($serverReturn = “${absUrl.substring(0, $absUrl.indexOf('/’,8))}${serverReturn}”) #end window.placeHolderForRedirectUrl = '#tp("redirectUrl.placeHolderMessage", [“${serverReturn}”])'; #tp("redirectUrl.placeHolderMessage", [“${serverReturn}”], "js", $translation) window.placeHolderForRedirectUrl = "${translation}"; var p = window.location.href.indexOf(‘/admin’); window.browserReturnUrl = (p === -1 ? window.location.href : Expand Down

Related news

GHSA-h2rm-29ch-wfmh: XWiki Identity Oauth Privilege escalation (PR)/remote code execution from login screen through unescaped URL parameter

### Impact When login via the OAuth method, the identityOAuth parameters, sent in a GET request is vulnerable to XSS and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The vulnerability is in [this part](https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58) of the code. ### Patches The issue has been fixed in Identity OAuth version 1.6 by https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6 . The fix is in the content of the [IdentityOAuth/LoginUIExtension](https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188) file ### Workarounds There are no known workarounds besides upgrading. ### References _Are there any links users can visit to find out more?...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907