Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-g66v-3v62-g375: RosarioSIS improper access control vulnerability

RosarioSIS prior to version 10.9.3 has a vulnerability that allows a user to return to a page containing personally identifiable information (PII) and sensitive information even after logging out of the application by using the browser's back button.

ghsa
Open in Source
#vulnerability#ios#git
GHSA-jgg7-w2rj-58cj: XWiki Platform vulnerable to privilege escalation from view right on XWiki.Notifications.Code.LegacyNotificationAdministration

### Impact Steps to reproduce: Open <xwiki-host>/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration?since=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+%22+%2B+%22from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where <xwiki-host> is the URL of your XWiki installation. This demonstrates an XWiki syntax injection attack via the since-parameter, allowing privilege escalation from view to programming rights. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8 and 14.10.3. ### Workarounds For versions >= 14.6-rc-1 the workaround is to modify the page `XWiki.Notifications.Code.LegacyNotificationAdministration` to add the missing escaping, as described on https://github.com/xwiki/xwiki-platform/commit/8e7c7f90f2ddaf067cb5b83b181af41513028754#diff-4e13f4ee4a42938bf1201b7ee71ca32edeacba22559daf0bcb89d534e0225949R70 For vers...

GHSA-jgrg-qvpp-9vwr: XWiki Platform vulnerable to code injection from account through AWM view sheet

### Impact Steps to reproduce: 1. As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content `{{groovy}}println("Hello " + "from Groovy!"){{/groovy}}` 1. Edit the document with the object editor and add an object of type AppWithinMinutes.LiveTableClass (no values need to be set, just save) 1. View the document ### Patches The vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.3. ### Workarounds There is no known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20423 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-gpq5-7p34-vqx5: XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode

### Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content ```{{async}}{{display reference="Menu.WebHome" /}}{{/async}}``` 3. Open the comments viewer from the menu (appends ?viewer=comments to the URL) -> the `Menu.WebHome` is displayed while the expectation would be to have an error that the current user is not allowed to see it ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. ### Workarounds There is no known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20394 https://jira.xwiki.org/browse/XRENDERING-694 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-fc42-5w56-qw7h: XWiki Platform vulnerable to code injection from account through XWiki.SchedulerJobSheet

### Impact It's possible to execute anything with the right of the Scheduler Application sheet page. To reproduce: 1. As a user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass (search for "Scheduler") 1. In "Job Script", add the following ```{{/code}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy} {{/async}}``` 1. Click "Save & View" 1. If the job information isn't already displayed (you should see "Job Name", "Job Description", etc.), append ?sheet=XWiki.SchedulerJobSheet to the URL. ### Patches This has been patched in XWiki 14.10.3 and 15.0 RC1. ### Workarounds While the fix in the scheduler itself is easy, it relies on the code macro `source` parameter, which was introduced in 14.10.2 so you have to upgrade to benefit from it. ### References https://jira.xwiki.org/browse/XWIKI-20295 https://jira.xwiki.org/browse/XWIK...

GHSA-x764-ff8r-9hpx: XWiki Platform vulnerable to code injection in display method used in user profiles

### Impact Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The following syntax, to be put, e.g., in the about section of the user profile, demonstrates a proof of concept: ``` {{html wiki="true"}}~{~{~/~h~t~m~l~}~}~ ~{~{~c~a~c~h~e~}~}~{~{~g~r~o~o~v~y~}~}~p~r~i~n~t~l~n~(~1~)~{~{~/~g~r~o~o~v~y~}~}~{~{~/~c~a~c~h~e~}~}~{{/html}} ``` While it would be expected that the above code is displayed just without the `~`, in fact just "1" is displayed, followed by a lot of raw HTML code. The same vulnerability can also be exploited in other contexts where the `display` method on a document is used to display a field with wiki syntax, for example in applications created using [App Within Minutes](https://extensions.xwiki.org/xwiki/bin/view/Extension/App%20Within%20Minutes%20Application). ### Patches This has been patched in XWiki...

GHSA-mjw9-3f9f-jq2w: XWiki Platform vulnerable to code injection from view right on XWiki.ClassSheet

### Impact Any user with view rights can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. For instance: `Open <xwiki-host>/xwiki/bin/view/%22%2F%7D%7D%7B%7B%2Fhtml%7D%7D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=XWiki.ClassSheet&xpage=view`, where `<xwiki-host>` is the URL of your XWiki installation. ### Patches This has been patched in XWiki 14.4.8, 14.10.3 and 15.0RC1. ### Workarounds The fix is only impacting Velocity templates and page contents, so applying this [patch](https://github.com/xwiki/xwiki-platform/commit/d7e56185376641ee5d66477c6b2791ca8e85cfee) is enough to fix the issue. ### Refere...

GHSA-p67q-h88v-5jgr: XWiki Platform vulnerable to code injection from account/view through VFS Tree macro

### Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of `Macro.VFSTreeMacro`. This page is not installed by default. See https://jira.xwiki.org/browse/XWIKI-20260 for the reproduction steps. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.2, 14.4.8, 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12) on `Macro.VFSTreeMacro`. ### References - https://jira.xwiki.org/browse/XWIKI-20260 - https://github.com/xwiki/xwiki-platform/commit/fad02328f5ec7ab7fe5b932ffb5bc5c1ba7a5b12 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-9jq5-xwqw-q8j3: XWiki Platform vulnerable to page render failure due to broken translations

### Impact It's possible to break many translations coming from wiki pages by creating a corrupted document containing a translation object. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds There is no other workaround other than fixing any way to create a document that fail to load. ### References https://jira.xwiki.org/browse/XWIKI-20460 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-3hjg-cghv-22ww: org.xwiki.platform:xwiki-platform-attachment-ui vulnerable to Code Injection

### Impact A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. ### Patches The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1. ### Workarounds The problem can be worked around by applying following changes directly in XWiki.AttachmentSelector page: https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1. ### References * https://jira.xwiki.org/browse/XWIKI-20364 * https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])