Описание
XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
Impact
It's possible to use the right of an existing document content author to execute a text area property.
To reproduce:
- As an admin with programming rights, create a new user without script or programming right.
- Login with the freshly created user.
- Insert the following text in source mode in the about section:
- Click "Save & View"
Patches
This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.
Workarounds
No known workaround.
References
https://jira.xwiki.org/browse/XWIKI-20373
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira
- Email us at Security ML
Пакеты
org.xwiki.platform:xwiki-platform-oldcore
>= 13.10, < 13.10.11
13.10.11
org.xwiki.platform:xwiki-platform-legacy-oldcore
>= 13.10, < 13.10.11
13.10.11
org.xwiki.platform:xwiki-platform-oldcore
>= 14.0, < 14.4.7
14.4.7
org.xwiki.platform:xwiki-platform-legacy-oldcore
>= 14.0, < 14.4.7
14.4.7
org.xwiki.platform:xwiki-platform-oldcore
>= 14.5, < 14.10
14.10
org.xwiki.platform:xwiki-platform-legacy-oldcore
>= 14.5, < 14.10
14.10
Связанные уязвимости
XWiki Platform is a generic wiki platform. Starting in version 13.10, it's possible to use the right of an existing document content author to execute a text area property. This has been patched in XWiki 14.10, 14.4.7, and 13.10.11. There are no known workarounds.