[MAVEN:GHSA-PWFV-3CVG-9M4C] org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors
Severity
Critical
Affected Packages
2
Fixed Packages
2
CVEs
1
Impact
The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights.
Example of such attack:
{{velocity}}
$doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}')
$doc.authors.setContentAuthor('xwiki:XWiki.superadmin')
$doc.getRenderedContent()
{{/velocity}}
Patches
The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API.
Workarounds
There no easy workaround apart of upgrading.
References
- https://jira.xwiki.org/browse/XWIKI-20380
- https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83
For more information
If you have any questions or comments about this advisory:
* Open an issue in Jira
* Email us at security ML
| Package | Affected Version |
|---|---|
 pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
|
>= 14.4.1, < 14.4.7 |
|
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
|
>= 14.5, < 14.10 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
|
= 14.4.7 |
|
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore
|
= 14.10 |
- ID
- MAVEN:GHSA-PWFV-3CVG-9M4C
- Severity
- critical
- URL
- https://github.com/advisories/GHSA-pwfv-3cvg-9m4c
- Published
-
2023-04-12T20:36:28
(17 months ago) - Modified
-
2023-05-05T05:00:56
(16 months ago) - Rights
- Maven Security Team
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform |
xwiki-platform-oldcore
|
>= 14.4.1 < 14.4.7 | |||
| Fixed | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform |
xwiki-platform-oldcore
|
= 14.4.7 | |||
| Affected | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform |
xwiki-platform-oldcore
|
>= 14.5 < 14.10 | |||
| Fixed | pkg:maven/org.xwiki.platform/xwiki-platform-oldcore | org.xwiki.platform |
xwiki-platform-oldcore
|
= 14.10 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |