Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h63h-5c77-77p5: XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet

Impact

Any user with edit right on any page can perform arbitrary remote code execution by adding instances of XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on an instance, as a user without script nor programming rights, add an object of type XWiki.SearchSuggestConfig to your profile page, and an object of type XWiki.SearchSuggestSourceClass as well. On this last object, set both name and icon properties to $services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')") and limit and engine to {{/html}}{{async}}{{velocity}}$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')"){{/velocity}}{{/async}}. Save and display the page. If the logs contain any message ERROR attacker - I got programming: true then the instance is vulnerable.

Patches

This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.

Workarounds

We’re not aware of any workaround except upgrading.

References

  • https://jira.xwiki.org/browse/XWIKI-21473
  • https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e
ghsa
#vulnerability#git#java#rce#auth#jira#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-37901

XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet

Critical severity GitHub Reviewed Published Jul 31, 2024 in xwiki/xwiki-platform • Updated Jul 31, 2024

Package

maven org.xwiki.platform:xwiki-platform-search-ui (Maven)

Affected versions

>= 9.2-rc-1, < 14.10.21

>= 15.0-rc-1, < 15.5.5

>= 15.6-rc-1, < 15.10.2

Patched versions

14.10.21

15.5.5

15.10.2

Impact

Any user with edit right on any page can perform arbitrary remote code execution by adding instances of XWiki.SearchSuggestConfig and XWiki.SearchSuggestSourceClass to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce on an instance, as a user without script nor programming rights, add an object of type XWiki.SearchSuggestConfig to your profile page, and an object of type XWiki.SearchSuggestSourceClass as well. On this last object, set both name and icon properties to $services.logging.getLogger(“attacker”).error("I got programming: $services.security.authorization.hasAccess(‘programming’)") and limit and engine to {{/html}}{{async}}{{velocity}}$services.logging.getLogger(“attacker”).error("I got programming: $services.security.authorization.hasAccess(‘programming’)"){{/velocity}}{{/async}}. Save and display the page. If the logs contain any message ERROR attacker - I got programming: true then the instance is vulnerable.

Patches

This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.

Workarounds

We’re not aware of any workaround except upgrading.

References

  • https://jira.xwiki.org/browse/XWIKI-21473
  • xwiki/xwiki-platform@742cd45

References

  • GHSA-h63h-5c77-77p5
  • xwiki/xwiki-platform@0b13576
  • xwiki/xwiki-platform@742cd45
  • xwiki/xwiki-platform@9ce3e03
  • xwiki/xwiki-platform@bbde8a4
  • https://jira.xwiki.org/browse/XWIKI-21473

Published to the GitHub Advisory Database

Jul 31, 2024

Last updated

Jul 31, 2024

ghsa: Latest News

GHSA-g5vw-3h65-2q3v: Access control vulnerable to user data deletion by anonynmous users