GHSA-h7cw-44vp-jq7h: XWiki Platform vulnerable to privilege escalation (PR) from account through TipsPanel

Package

maven org.xwiki.platform:xwiki-platform-help-ui (Maven)

Affected versions

>= 8.1-milestone-1, < 14.10.5

>= 15.0-rc-1, < 15.1-rc-1

Patched versions

14.10.5

15.1-rc-1

Description

Impact

It’s possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension.

To reproduce:

• Add an object of type UIExtensionClass

• Set “Extension Point ID” to org.xwiki.platform.help.tipsPanel

• Set “Extension ID” to org.xwiki.platform.user.test (needs to be unique but otherwise doesn’t matter)

• Set “Extension Parameters” to

  tip={{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}
  

• Set “Extension Scope” to "Current User".

• Click “Save & View”

• Open the “Help.TipsPanel” document at /xwiki/bin/view/Help/TipsPanel where is the URL of your XWiki installation and press refresh repeatedly.

The groovy macro is executed, after the fix you get an error instead.

Patches

This has been patched in XWiki 15.1-rc-1 and 14.10.5.

Workarounds

There are no known workarounds for it.

References

• https://jira.xwiki.org/browse/XWIKI-20281
• xwiki/xwiki-platform@98208c5#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178

For more information

If you have any questions or comments about this advisory:

• Open an issue in Jira XWiki.org
• Email us at Security Mailing List

References

• GHSA-h7cw-44vp-jq7h
• xwiki/xwiki-platform@98208c5#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178
• https://jira.xwiki.org/browse/XWIKI-20281

tmortagne published to xwiki/xwiki-platform

Jun 20, 2023

Published to the GitHub Advisory Database

Jun 20, 2023

Reviewed

Jun 20, 2023