GHSA-jjm5-5v9v-7hx2: org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticate endpoints

Package

maven org.xwiki.platform:xwiki-platform-security-authentication-default (Maven)

Affected versions

>= 13.10.8, < 13.10.11

>= 14.4.3, < 14.4.7

>= 14.6, < 14.10

Patched versions

13.10.11

14.4.7

14.10

Description

Impact

It was possible to inject some code using the URL of authenticate endpoints, e.g.:

https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword

This vulnerability was present in recent versions of XWiki:

• 13.10.8+
• 14.4.3+
• 14.6+

Patches

This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.

Workarounds

There is no easy workaround except to upgrade.

References

• https://jira.xwiki.org/browse/XWIKI-20335
• xwiki/xwiki-platform@1943ea2

For more information

If you have any questions or comments about this advisory:

• Open an issue in Jira
• Email us at security mailing-list

References

• GHSA-jjm5-5v9v-7hx2
• xwiki/xwiki-platform@1943ea2
• https://jira.xwiki.org/browse/XWIKI-20335

tmortagne published to xwiki/xwiki-platform

Apr 12, 2023

Published to the GitHub Advisory Database

Apr 12, 2023

Reviewed

Apr 12, 2023

Last updated

Apr 12, 2023