Описание
Privilege escalation (PR)/RCE from account through class sheet
Impact
It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document.
Steps to Reproduce:
- Edit your user profile with the object editor and add an object of type
DocumentSheetBindingwith valueDefault Class Sheet - Edit your user profile with the wiki editor and add the syntax
{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} - Click "Save & View"
Expected result:
An error is displayed as the user doesn't have the right to execute the Groovy macro.
Actual result:
The text "Hello from groovy!" is displayed at the top of the document.
Patches
This has been patched in XWiki 15.0-rc-1 and 14.10.4.
Workarounds
There are no known workarounds for it.
References
https://jira.xwiki.org/browse/XWIKI-20566 https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Пакеты
org.xwiki.platform:xwiki-platform-test-ui
>= 3.3-milestone-3, < 14.10.4
14.10.4
Связанные уязвимости
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-2 and prior to versions 14.10.4 and 15.0-rc-1, it's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. This has been patched in XWiki 15.0-rc-1 and 14.10.4. There are no known workarounds.
Уязвимость платформы создания совместных веб-приложений XWiki Platform XWiki , связанная с ошибками авторизации, позволяющая нарушителю повысить свои привилегии