Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-cmvg-w72j-7phx: org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins

Impact

There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights.

Patches

This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right.

Workarounds

The only known workaround consists in applying the following patch and rebuilding and redeploying xwiki-platform-skin-skinx.

References

  • https://jira.xwiki.org/browse/XWIKI-19514
  • https://jira.xwiki.org/browse/XWIKI-9119
  • https://jira.xwiki.org/browse/XWIKI-19583

For more information

If you have any questions or comments about this advisory:

ghsa
Open in Source
#xss#js#git#java#auth#jira#maven

Package

maven org.xwiki.platform:xwiki-platform-skin-skinx (Maven)

Affected versions

>= 3.0-milestone-1, < 14.9-rc-1

Patched versions

14.9-rc-1

Description

Impact

There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights.

Patches

This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right.

Workarounds

The only known workaround consists in applying the following patch and rebuilding and redeploying xwiki-platform-skin-skinx.

References

  • https://jira.xwiki.org/browse/XWIKI-19514
  • https://jira.xwiki.org/browse/XWIKI-9119
  • https://jira.xwiki.org/browse/XWIKI-19583

For more information

If you have any questions or comments about this advisory:

  • Open an issue in Jira
  • Email us at Security ML

References

  • GHSA-cmvg-w72j-7phx
  • xwiki/xwiki-platform@fe65bc3
  • https://jira.xwiki.org/browse/XWIKI-19514
  • https://jira.xwiki.org/browse/XWIKI-19583
  • https://jira.xwiki.org/browse/XWIKI-9119

tmortagne published to xwiki/xwiki-platform

Apr 12, 2023

Published to the GitHub Advisory Database

Apr 12, 2023

Reviewed

Apr 12, 2023

Last updated

Apr 12, 2023

Related news

CVE-2023-29206: Privilege escalation via style sheet skin extensions with just edit rights

XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.

ghsa: Latest News

GHSA-6jrf-rcjf-245r: changedetection.io path traversal using file URI scheme without supplying hostname
ghsa