GHSA-wcg9-pgqv-xm5v: XWiki Platform allows XSS through XClass name in string properties

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-43400

XWiki Platform allows XSS through XClass name in string properties

Critical severity GitHub Reviewed Published Aug 19, 2024 in xwiki/xwiki-platform • Updated Aug 19, 2024

Package

maven org.xwiki.platform:xwiki-platform-oldcore (Maven)

Affected versions

>= 1.1.2, < 14.10.21

>= 15.0-rc-1, < 15.5.5

>= 15.6-rc-1, < 15.10.6

= 16.0.0-rc-1

Patched versions

14.10.21

15.5.5

15.10.6

16.0.0

Impact

Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript.
This requires social engineer to trick a user to follow the URL.

Reproduction steps

1. As a user without script or programming right, create a (non-terminal) document named " + alert(1) + " (the quotes need to be part of the name).
2. Edit the class.
3. Add a string property named "test".
4. Edit using the object editor and add an object of the created class
5. Get an admin to open <xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=edit where <xwiki-server> is the URL of your XWiki installation.

Patches

This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.

Workarounds

We’re not aware of any workaround except upgrading.

References

• https://jira.xwiki.org/browse/XWIKI-21810
• xwiki/xwiki-platform@27eca84

References

• GHSA-wcg9-pgqv-xm5v
• https://nvd.nist.gov/vuln/detail/CVE-2024-43400
• xwiki/xwiki-platform@27eca84
• https://jira.xwiki.org/browse/XWIKI-21810

Published to the GitHub Advisory Database

Aug 19, 2024

Last updated

Aug 19, 2024