Headline
GHSA-3738-p9x3-mv9r: XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
Impact
It’s possible to use the right of an existing document content author to execute a text area property.
To reproduce:
- As an admin with programming rights, create a new user without script or programming right.
- Login with the freshly created user.
- Insert the following text in source mode in the about section:
{{groovy}}println("hello from groovy!"){{/groovy}}
- Click “Save & View”
Patches
This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.
Workarounds
No known workaround.
References
https://jira.xwiki.org/browse/XWIKI-20373
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at Security ML
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-26474
XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
Critical severity GitHub Reviewed Published Mar 1, 2023 in xwiki/xwiki-platform • Updated Mar 3, 2023
Package
maven org.xwiki.platform:xwiki-platform-legacy-oldcore (Maven)
Affected versions
>= 13.10, < 13.10.11
>= 14.0, < 14.4.7
>= 14.5, < 14.10
Patched versions
13.10.11
14.4.7
14.10
maven org.xwiki.platform:xwiki-platform-oldcore (Maven)
>= 13.10, < 13.10.11
>= 14.0, < 14.4.7
>= 14.5, < 14.10
Published by the National Vulnerability Database
Mar 2, 2023
Published to the GitHub Advisory Database
Mar 3, 2023
Related news
XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.