#jira

### Impact It is possible to bypass the existing security measures put in place to avoid open redirect by using a redirect such as `//mydomain.com` (i.e. omitting the `http:`). It was also possible to bypass it when using URL such as `http:/mydomain.com`. ### Patches The problem has been patched on XWiki 13.10.10, 14.4.4 and 14.8RC1. ### Workarounds The only way to workaround the bug is by providing a patched jar of xwiki-platform-oldcore containing the following changes: https://github.com/xwiki/xwiki-platform/commit/e4f7f68e93cb08c25632c126356d218abf192d1e#diff-c445f288d5d63424f56ef13f65514ab4e174a72e979b53b88197c2b7def267cf. ### References * Jira ticket of the reported vulnerability: https://jira.xwiki.org/browse/XWIKI-19994 * Jira ticket of the original mechanism put in place to prevent open redirect: https://jira.xwiki.org/browse/XWIKI-10309 * Original advisory about open redirect: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jp55-vvmf-63mv ### For ...

### Impact The [RSS macro](https://extensions.xwiki.org/xwiki/bin/view/Extension/RSS%20Macro) that is bundled in XWiki included the content of the feed items without any cleaning in the HTML output when the parameter `content` was set to `true`. This allowed arbitrary HTML and in particular also JavaScript injection and thus cross-site scripting (XSS) by specifying an RSS feed with malicious content. With the interaction of a user with programming rights, this could be used to execute arbitrary actions in the wiki, including privilege escalation, remote code execution, information disclosure, modifying or deleting content and sabotaging the wiki. The issue can be reproduced by inserting the following XWiki syntax in any wiki page like the user account: ``` {{rss feed="https://xssrss.blogspot.com/feeds/posts/default?alt=rss" content="true" /}} ``` If an alert is displayed when viewing the page, the wiki is vulnerable. ### Patches The issue has been patched in XWiki 14.6 RC1, the con...

### Impact The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped `<script>` and `<style>`-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like `<iframe>`. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). An example are anonymous comments in XWiki where the HTML macro filters HTML using restricted mode: ``` {{html}} <a href='' onclick='alert(1)'>XSS</a> {{/html}} ``` When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. ### Patches This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes th...

### Impact Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the section ids in `XWiki.AdminFieldsDisplaySheet`. This page is installed by default. Reproduction steps are described in https://jira.xwiki.org/browse/XWIKI-20261 ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. ### Workarounds The issue can be fixed by applying this [patch](https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede) on `XWiki.AdminFieldsDisplaySheet`. ### References - https://jira.xwiki.org/browse/XWIKI-20261 - https://github.com/xwiki/xwiki-platform/commit/f1e310826a19acdcdecdecdcfe171d21f24d6ede ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at ...

### Impact Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. #### Reproduction Steps **Steps to reproduce**: - As a user without script or programming rights, edit your user profile with the object editor (enable advanced mode if necessary to get access) and add an object of type "Theme Class" of "FlamingoThemesCode". In the field "body-bg" (all other fields should work, too) add the following text: `{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}` - Click "Save & View" - Open <xwiki-host>/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet where <xwiki-host> is the URL of your XWiki installation **Expected result**: The list of color themes either doesn't inc...

### Impact Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `documentTree` macro parameters in This macro is installed by default in `FlamingoThemesCode.WebHome`. This page is installed by default. Example of reproduction: Open `<xwiki_host>/xwiki/bin/view/%22%20%2F%7D%7D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=FlamingoThemesCode.WebHome&xpage=view` where `<xwiki_host>` is the URL of your XWiki installation. > The [documentTree] macro is a standalone macro and it cannot be used inline. Click on this message for details. > Hello from groovy!.WebHome" /}} is displayed. This shows that the Groovy macro that is passed in the URL has been executed and th...

### Impact A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights. For instance, by adding the LiveData below in the about section of the profile of a user created by an admin. ``` {{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}} ``` ### Patches This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. ### Workarounds N...

### Impact The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. Example of such attack: ``` {{velocity}} $doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}') $doc.authors.setContentAuthor('xwiki:XWiki.superadmin') $doc.getRenderedContent() {{/velocity}} ``` ### Patches The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API. ### Workarounds There no easy workaround apart of upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-20380 * https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:[email protected])

### Impact It was possible to inject some code using the URL of authenticate endpoints, e.g.: ``` https://hostname/xwiki/authenticate/wiki/xwiki%22onload=%22alert(origin)%22/resetpassword ``` This vulnerability was present in recent versions of XWiki: - 13.10.8+ - 14.4.3+ - 14.6+ ### Patches This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10. ### Workarounds There is no easy workaround except to upgrade. ### References - https://jira.xwiki.org/browse/XWIKI-20335 - https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security mailing-list](mailto:[email protected])

### Impact Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. **Precondition**: As an admin, add the `Panels.IncludedDocuments` panel on one column. A proof of concept exploit is to edit a document and add the following code before saving. ``` {{display reference="{{cache~}~}{{groovy~}~}println(~"Hello from Groovy~" + ~" in included document!~"){{/groovy~}~}{{/cache~}~}"/}} ``` **expected** The right had side panels contain: ``` One included page: {{cache}}{{groovy}}println("Hello from Groovy" + " in included document!"){{/groovy}}{{/cache}} ``` **actual** The right had side panels contain: ``` One included page: XWiki.Hello from Groovy in included document! ``` ### Patches The problem has been patched on XWiki 14.4.7, and 14.10. ### Workarounds The issue can be fixed manually applying this [patch](h...