Headline
GHSA-9r9j-57rf-f6vj: XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form
Impact
It’s possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment.
For example, an attachment with name ><img src=1 onerror=alert(1)>.jpg will execute the alert.
Patches
This issue has been patched in XWiki 14.4RC1.
Workarounds
It is possible to fix the vulnerability by copying moveStep1.vm to webapp/xwiki/templates/moveStep1.vm and replace
#set($titleToDisplay = $services.localization.render('attachment.move.title',
[$attachment.name, $escapetool.xml($doc.plainTitle), $doc.getURL()]))
by
#set($titleToDisplay = $services.localization.render('attachment.move.title', [
$escapetool.xml($attachment.name),
$escapetool.xml($doc.plainTitle),
$escapetool.xml($doc.getURL())
]))
See the corresponding patch.
References
- https://jira.xwiki.org/browse/XWIKI-19667
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Impact
It’s possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment.
For example, an attachment with name ><img src=1 onerror=alert(1)>.jpg will execute the alert.
Patches
This issue has been patched in XWiki 14.4RC1.
Workarounds
It is possible to fix the vulnerability by copying moveStep1.vm to webapp/xwiki/templates/moveStep1.vm and replace
#set($titleToDisplay = $services.localization.render('attachment.move.title',
[$attachment.name, $escapetool.xml($doc.plainTitle), $doc.getURL()]))
by
#set($titleToDisplay = $services.localization.render('attachment.move.title', [
$escapetool.xml($attachment.name),
$escapetool.xml($doc.plainTitle),
$escapetool.xml($doc.getURL())
]))
See the corresponding patch.
References
- https://jira.xwiki.org/browse/XWIKI-19667
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
References
- GHSA-9r9j-57rf-f6vj
- https://nvd.nist.gov/vuln/detail/CVE-2022-36097
- xwiki/xwiki-platform@fbc4bfb
- https://jira.xwiki.org/browse/XWIKI-19667
- https://raw.githubusercontent.com/xwiki/xwiki-platform/xwiki-platform-14.0-rc-1/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/resources/templates/attachment/moveStep1.vm
Related news
XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch.