Headline
GHSA-cmvg-w72j-7phx: org.xwiki.platform:xwiki-platform-skin-skinx vulnerable to basic Cross-site Scripting by exploiting JSX or SSX plugins
Impact
There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights.
Patches
This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right.
Workarounds
The only known workaround consists in applying the following patch and rebuilding and redeploying xwiki-platform-skin-skinx.
References
- https://jira.xwiki.org/browse/XWIKI-19514
- https://jira.xwiki.org/browse/XWIKI-9119
- https://jira.xwiki.org/browse/XWIKI-19583
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at Security ML
Package
maven org.xwiki.platform:xwiki-platform-skin-skinx (Maven)
Affected versions
>= 3.0-milestone-1, < 14.9-rc-1
Patched versions
14.9-rc-1
Description
Impact
There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights.
Patches
This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script right.
Workarounds
The only known workaround consists in applying the following patch and rebuilding and redeploying xwiki-platform-skin-skinx.
References
- https://jira.xwiki.org/browse/XWIKI-19514
- https://jira.xwiki.org/browse/XWIKI-9119
- https://jira.xwiki.org/browse/XWIKI-19583
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at Security ML
References
- GHSA-cmvg-w72j-7phx
- xwiki/xwiki-platform@fe65bc3
- https://jira.xwiki.org/browse/XWIKI-19514
- https://jira.xwiki.org/browse/XWIKI-19583
- https://jira.xwiki.org/browse/XWIKI-9119
tmortagne published to xwiki/xwiki-platform
Apr 12, 2023
Published to the GitHub Advisory Database
Apr 12, 2023
Reviewed
Apr 12, 2023
Last updated
Apr 12, 2023
Related news
XWiki Commons are technical libraries common to several other top level XWiki projects. There was no check in the author of a JavaScript xobject or StyleSheet xobject added in a XWiki document, so until now it was possible for a user having only Edit Right to create such object and to craft a script allowing to perform some operations when executing by a user with appropriate rights. This has been patched in XWiki 14.9-rc-1 by only executing the script if the author of it has Script rights.