Latest News

### Impact In `getdocument.vm` ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. It's possible to employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections. ### Patches This has been patched in 13.10.5 and 14.3-rc-1. ### Workarounds There is no known workaround, other than upgrading XWiki. ### References https://jira.xwiki.org/browse/XWIKI-17568 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

### Summary _Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._ There is a potential XXE(XML External Entity Injection) vulnerability when http4k handling malicious XML contents within requests, which might allow attackers to read local sensitive information on server, trigger Server-side Request Forgery and even execute code under some circumstances. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ https://github.com/http4k/http4k/blob/25696dff2d90206cc1da42f42a1a8dbcdbcdf18c/core/format/xml/src/main/kotlin/org/http4k/format/Xml.kt#L42-L46 XML contents is parsed with DocumentBuilder without security settings on or external entity enabled ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ #### ...

### Impact Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document `Scheduler.WebHome` in a subwiki. Then, click on any operation (*e.g.,* Trigger) on any job. If the operation is successful, then the instance is vulnerable. ### Patches This has been patched in XWiki 15.10.9 and 16.3.0. ### Workarounds If you have subwikis where the Job Scheduler is enabled, you can edit the objects on `Scheduler.WebPreferences` to match https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331#diff-8e274bd0065e319a34090339de6dfe56193144d15fd71c52c1be7272254728b4. ### References * https://jira.xwiki.org/browse/XWIKI-21663 * https://github.com/xwiki/xwiki-platform/commit/54bcc5a7a2e440cc591b91eece9c13dc0c487331 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) *...

### Impact Any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type `XWiki.WikiMacroClass`. Set "Macro Id", "Macro Name" and "Macro Code" to any value, "Macro Visibility" to `Current User` and "Macro Description" to `{{async}}{{groovy}}println("Hello from User macro!"){{/groovy}}{{/async}}`. Save the page, then go to `<host>/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList`. If the description of your new macro reads "Hello from User macro!", then your instance is vulnerable. ### Patches This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. ### Workarounds It is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f36...

### Impact Any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a user with script rights, edit your user profile and add an object of type `XWiki.ConfigurableClass` ("Custom configurable sections"). Set "Display in section" and "Display in category" to `other`, "Scope" to `Wiki and all spaces` and "Heading" to: ``` #set($codeToExecute = 'Test') #set($codeToExecuteResult = '{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from Heading succeeded!"){{/groovy}}{{/async}}') ``` Save the page and view it, then add `?sheet=XWiki.AdminSheet&viewer=content&section=other` to the URL. If the logs contain "attacker - Attack from Heading succeeded!", then the instance is vulnerable. ### Patches This has been patched in XWiki 15.10.9 and 16.3.0. ### Workarounds We're...

A security issue was identified in the NanoProxy project related to the `golang.org/x/crypto` dependency. The project was using an outdated version of this dependency, which potentially exposed the system to security vulnerabilities that have been addressed in subsequent updates. Impact: The specific vulnerabilities in the outdated version of `golang.org/x/crypto` could include authorization bypasses, data breaches, or other security risks. These vulnerabilities can be exploited by attackers to compromise the integrity, confidentiality, or availability of the system. Resolution: The issue has been fixed in NanoProxy by upgrading the `golang.org/x/crypto` dependency to version 0.31.0. Users are strongly encouraged to update their instances of NanoProxy to include this fix and ensure they are using the latest secure version of all dependencies. Fixed Version: * `golang.org/x/crypto` upgraded to version 0.31.0.

Its mid-December, if you’re on-call or working to defend networks, this newsletter is for you. Martin discusses the widening gap between threat and defences as well as the growing problem of home devices being recruited to act as proxy servers for criminals.

The rules necessary to secure US communications have already been in place for 30 years, argues Sen. Wyden, the FCC just hasn't enforced them. It's unclear if they will help.

Just in time for the holidays!

Improper Authorization vulnerability in Apache Superset. On Postgres analytic databases an attacker with SQLLab access can craft a specially designed SQL DML statement that is Incorrectly identified as a read-only query, enabling its execution. Non postgres analytics database connections and postgres analytics database connections set with a readonly user (advised) are not vulnerable.  This issue affects Apache Superset: before 4.1.0. Users are recommended to upgrade to version 4.1.0, which fixes the issue.