Описание
XWiki Platform Attachment UI vulnerable to cross-site scripting in the move attachment form
Impact
It's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment.
For example, an attachment with name ><img src=1 onerror=alert(1)>.jpg will execute the alert.
Patches
This issue has been patched in XWiki 14.4RC1.
Workarounds
It is possible to fix the vulnerability by copying moveStep1.vm to webapp/xwiki/templates/moveStep1.vm and replace
by
See the corresponding patch.
References
For more information
If you have any questions or comments about this advisory:
- Open an issue in Jira XWiki.org
- Email us at Security Mailing List
Ссылки
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9r9j-57rf-f6vj
- https://nvd.nist.gov/vuln/detail/CVE-2022-36097
- https://github.com/xwiki/xwiki-platform/commit/fbc4bfbae4f6ce8109addb281de86a03acdb9277
- https://jira.xwiki.org/browse/XWIKI-19667
- https://raw.githubusercontent.com/xwiki/xwiki-platform/xwiki-platform-14.0-rc-1/xwiki-platform-core/xwiki-platform-attachment/xwiki-platform-attachment-api/src/main/resources/templates/attachment/moveStep1.vm
Пакеты
org.xwiki.platform:xwiki-platform-attachment-ui
>= 14.0-rc-1, < 14.4-rc-1
14.4-rc-1
Связанные уязвимости
XWiki Platform Attachment UI provides a macro to easily upload and select attachments for XWiki Platform, a generic wiki platform. Starting with version 14.0-rc-1 and prior to 14.4-rc-1, it's possible to store JavaScript in an attachment name, which will be executed by anyone trying to move the corresponding attachment. This issue has been patched in XWiki 14.4-rc-1. As a workaround, one may copy `moveStep1.vm` to `webapp/xwiki/templates/moveStep1.vm` and replace vulnerable code with code from the patch.