Headline
GHSA-f776-w9v2-7vfj: XWiki Change Request Application UI XSS and remote code execution through change request title
Impact
It’s possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.
Patches
The vulnerability has been fixed in Change Request 1.9.2.
Workarounds
It’s possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4.
References
- JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298
- Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Attribution
Thanks Michael Hamann for the report.
Package
maven org.xwiki.contrib.changerequest:application-changerequest-ui (Maven)
Affected versions
>= 0.11, < 1.9.2
Patched versions
1.9.2
Description
Impact
It’s possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request.
This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.
Patches
The vulnerability has been fixed in Change Request 1.9.2.
Workarounds
It’s possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the commit: xwiki-contrib/application-changerequest@7565e72.
References
- JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298
- Commit of the fix: xwiki-contrib/application-changerequest@7565e72
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Attribution
Thanks Michael Hamann for the report.
References
- GHSA-f776-w9v2-7vfj
- https://nvd.nist.gov/vuln/detail/CVE-2023-45138
- xwiki-contrib/application-changerequest@7565e72
- https://jira.xwiki.org/browse/CRAPP-298
surli published to xwiki-contrib/application-changerequest
Oct 12, 2023
Published to the GitHub Advisory Database
Oct 17, 2023
Reviewed
Oct 17, 2023
Last updated
Oct 17, 2023
Related news
Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the fix commit.