Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-c5v8-2q4r-5w9v

Опубликовано: 16 сент. 2022
Источник: github
Github: Прошло ревью
CVSS3: 9.9

Описание

XWiki Platform Mentions UI vulnerable to Cross-site Scripting

Impact

It's possible to store Javascript or groovy scripts in an mention macro anchor or reference field. The stored code is executed by anyone visiting the page with the mention.

For example, the example below will create a file at /tmp/exploit.txt:

{{mention reference="XWiki.Translation" anchor="{{/html~}~}{{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}new File(~"/tmp/exploit.txt~").withWriter { out -> out.println(~"owned!~"); }{{/groovy~}~}{{/async~}~}"/}}

Patches

This issue has been patched on XWiki 14.4 and 13.10.6.

Workarounds

It's possible to fix the vulnerability by updating XWiki.Mentions.MentionsMacro and edit the Macro code field of the XWiki.WikiMacroClass XObject.

<a id="$anchor" class="$stringtool.join($cssClasses, ' ')" data-reference="$services.model.serialize($reference.reference, 'default')" href="$link">$content</a>

Must be replaced by

<a id="$escapetool.xml($anchor)" class="$stringtool.join($cssClasses, ' ')" data-reference="$escapetool.xml($services.model.serialize($reference.reference, 'default'))" href="$escapetool.xml($link)"> $escapetool.xml($content) </a>

See the patches:

References

For more information

If you have any questions or comments about this advisory:

Ссылки

Пакеты

Наименование

org.xwiki.platform:xwiki-platform-mentions-ui

maven
Затронутые версииВерсия исправления

>= 12.5-rc-1, < 13.10.6

13.10.6

Наименование

org.xwiki.platform:xwiki-platform-mentions-ui

maven
Затронутые версииВерсия исправления

>= 14.0, < 14.4

14.4

EPSS

Процентиль: 97%
0.4365
Средний

9.9 Critical

CVSS3

CVE ID

CVE-2022-36098

Дефекты

CWE-79

Связанные уязвимости

nvd логотип

CVE-2022-36098

CVSS3: 8.9
nvd
больше 3 лет назад

XWiki Platform Mentions UI is a user interface for mentioning users in wiki content for XWiki Platform, a generic wiki platform. Starting in version 12.5-rc-1 and prior to versions 13.10.6 and 14.4, it's possible to store Javascript or groovy scripts in a mention, macro anchor, or reference field. The stored code is executed by anyone visiting the page with the mention. This issue has been patched on XWiki 14.4 and 13.10.6. As a workaround, one may update `XWiki.Mentions.MentionsMacro` and edit the `Macro code` field of the `XWiki.WikiMacroClass` XObject.

EPSS

Процентиль: 97%
0.4365
Средний

9.9 Critical

CVSS3

CVE ID

CVE-2022-36098

Дефекты

CWE-79