Описание
com.xwiki.confluencepro:application-confluence-migrator-pro-ui Remote Code Execution via unescaped translations
Impact
A user that doesn't have programming rights can execute arbitrary code when creating a page using the Migration Page template. A possible attack vector is the following:
- Create a page and add the following content:
- Use the object editor to add an object of type
XWiki.TranslationDocumentClasswith scopeUSER. - Access an unexisting page using the
MigrationTemplate
It is expected that {{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}} will be present on the page, however, hello from groovy will be printed.
Patches
The issue will be fixed as part of v1.2. The fix was added with commit 35cef22
Workarounds
There are no known workarounds besides upgrading.
References
No references.
Пакеты
com.xwiki.confluencepro:application-confluence-migrator-pro-ui
>= 1.0, < 1.2.0
1.2.0
Связанные уязвимости
XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. A user that doesn't have programming rights can execute arbitrary code due to an unescaped translation when creating a page using the Migration Page template. This vulnerability is fixed in 1.2.0.
Уязвимость компонента Migration Page Template инструмента для миграции данных XWiki Confluence Migrator Pro, позволяющая нарушителю выполнить произвольный код