[MAVEN:GHSA-CV55-V6RW-7R5V] XWiki Platform remote code execution from account via custom skins support
Impact
Any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote code execution.
To reproduce, as a user without edit, script or admin right, add an object of class XWiki.XWikiSkins
to your profile. Name it whatever you want and set the Base Skin to flamingo
.
Add an object of class XWikiSkinFileOverrideClass
and set the path to macros.vm
and the content to:
#macro(mediumUserAvatar $username)
#resizedUserAvatar($username 50)
$services.logging.getLogger('Skin').error("I got programming: $services.security.authorization.hasAccess('programming')")
#end
Back to your profile, click Test this skin
. Force a refresh, just in case.
If the error "Skin - I got programming: true" gets logged, the installation is vulnerable.
Patches
This has been patched in XWiki 14.10.19, 15.5.4 and 15.10RC1.
Workarounds
We're not aware of any workaround except upgrading.
References
Package | Affected Version |
---|---|
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | >= 15.6-rc-1, < 15.10-rc-1 |
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | >= 15.0-rc-1, < 15.5.4 |
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | >= 6.4-milestone-1, < 14.10.19 |
Package | Fixed Version |
---|---|
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | = 15.10-rc-1 |
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | = 15.5.4 |
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | = 14.10.19 |
- ID
- MAVEN:GHSA-CV55-V6RW-7R5V
- Severity
- critical
- URL
- https://github.com/advisories/GHSA-cv55-v6rw-7r5v
- Published
-
2024-04-10T17:14:47
(5 months ago) - Modified
-
2024-04-10T22:01:41
(5 months ago) - Rights
- Maven Security Team
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform | xwiki-platform-oldcore | >= 15.6-rc-1 < 15.10-rc-1 | |||
Fixed | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform | xwiki-platform-oldcore | = 15.10-rc-1 | |||
Affected | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform | xwiki-platform-oldcore | >= 15.0-rc-1 < 15.5.4 | |||
Fixed | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform | xwiki-platform-oldcore | = 15.5.4 | |||
Affected | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform | xwiki-platform-oldcore | >= 6.4-milestone-1 < 14.10.19 | |||
Fixed | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform | xwiki-platform-oldcore | = 14.10.19 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |