#maven

### Impact It's possible to execute a script with the right of another user (provided the target user does not have programming right). For example, the following: ``` {{context document="xwiki:XWiki.userwithscriptright" transformationContext="document"}}{{velocity}}Hello from Velocity!{{/velocity}}{{/context}} ``` written by a user not having script right (for example in the user's profile) should produce an error (the user is not allowed to write scripts). However, because of the vulnerability, if the author of the document "xwiki:XWiki.userwithscriptright" has script right (but not programming right) the script will be executed with as if it was written by the target user. ### Patches The problem has been patched in XWiki 14.8RC1, 14.4.5 and 13.10.10. ### Workarounds There's no workaround for this issue. ### References https://jira.xwiki.org/browse/XWIKI-19856 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](htt...

### Impact A user without script rights can introduce a stored XSS by using the Live Data macro. For instance: ``` {{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}} ``` ### Patches This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. ### Workarounds No known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20143 ### For more information If you have any questions or comments about this advisory:...

### Impact Users with write rights can insert well-formed content that is not handled well by the parser. For instance, with `xwiki/2.1`, inserting a deeply nested group blocks (`((( ((( ((( ((( .... ))) ))) ))) )))` (see the generator below to produce a large payload) can lead to the parser throwing a `StackOverflowError`. As a consequence, some pages becomes unusable, including: - the user index (if the page containing the faulty content is a user page) - the page index Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted. ### Patches This has been patched on XWiki 13.10.10, 14.4.6, and 14.9-rc-1. ### Workarounds A temporary solution to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e...

### Impact `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` is returning an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. ### Patches This has been patched in the version 14.9-rc-1 and 14.4.6. ### Workarounds There's no workaround for this issue. ### References https://jira.xwiki.org/browse/XWIKI-20180 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org/) * Email us at [security ML](mailto:[email protected])

### Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters `form_token=1&action=create`. For instance: [http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create](http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?**newThemeName**=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create) will execute the following groovy code: `println("hello from groovy!")` on the server. ### Patches This has be...

### Impact Comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled) but the async macro is not taking into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin as in: {{async}} {{groovy}}println "it works !"{{/groovy}} {{/async}} ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds The only known workaround consists in applying [the following patch](https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006) and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`. ### References * https://jira.xwiki.org/browse/XWIKI-20234 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:[email protected])

### Impact Any user can edit his own profile and inject code which is going to be executed with programming right. Steps to reproduce: * Set your first name to ``` {{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}} ``` The first name appears as interpreted "`Hello from groovy`" instead of the expected fully escaped "`{{cache id="userProfile"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}}`". The same vulnerability can also be exploited in all other places where short text properties are displayed, e.g., in apps created using [Apps Within Minutes](https://extensions.xwiki.org/xwiki/bin/view/Extension/App%20Within%20Minutes%20Application) that use a short text field. ### Patches The problem has been patched on versions 13.10.9, 14.4.4, 14.7RC1. ### Workarounds There are no other workarounds than upgrading XWiki or patching the xwiki-commons-xml JAR file. ### References * https://jira.xwiki.org/browse/XWIKI-19793 * https://jira...

### Impact One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content: ``` }}} {{async async="true"}} {{groovy}} println("Hello from Groovy!") {{/groovy}} {{/async}} {{{ ``` Can be done by creating a new page or even through the user profile for users not having edit right. ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds An easy workaround is to actually fix the bug in the page `IconThemesCode.IconThemeSheet` by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45 ### References https://jira.xwiki.org/browse/XWIKI-19731 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:[email protected])

### Impact It's possible to use the right of an existing document content author to execute a text area property. To reproduce: * As an admin with programming rights, create a new user without script or programming right. * Login with the freshly created user. * Insert the following text in source mode in the about section: ``` {{groovy}}println("hello from groovy!"){{/groovy}} ``` * Click "Save & View" ### Patches This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. ### Workarounds No known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20373 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org/) * Email us at [Security ML](mailto:[email protected])

### Impact Users can deduce the content of the password fields by repeated call to `LiveTableResults` and `WikisLiveTableResultsMacros`. ### Patches The issue is applied on versions 14.7-rc-1, 13.4.4, and 13.10.9. ### Workarounds The issue can be fixed by upgrading to versions 14.7-rc-1, 13.4.4, and 13.10.9 and higher, or in version >= 3.2M3 by applying the patch manually on `LiveTableResults` and `WikisLiveTableResultsMacros`. ### References - Jira: https://jira.xwiki.org/browse/XWIKI-19949 - Patch: https://github.com/xwiki/xwiki-platform/commit/7f8825537c9523ccb5051abd78014d156f9791c8 ### For more information If you have any questions or comments about this advisory: - Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) - Email us at [Security Mailing List](mailto:[email protected])