Описание
XWiki Platform allows XSS through XClass name in string properties
Impact
Is it possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL.
Reproduction steps
- As a user without script or programming right, create a (non-terminal) document named
" + alert(1) + "(the quotes need to be part of the name). - Edit the class.
- Add a string property named
"test". - Edit using the object editor and add an object of the created class
- Get an admin to open
<xwiki-server>/xwiki/bin/view/%22%20%2B%20alert(1)%20%2B%20%22/?viewer=display&type=object&property=%22%20%2B%20alert(1)%20%2B%20%22.WebHome.test&mode=editwhere<xwiki-server>is the URL of your XWiki installation.
Patches
This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
Workarounds
We're not aware of any workaround except upgrading.
References
Пакеты
org.xwiki.platform:xwiki-platform-oldcore
>= 1.1.2, < 14.10.21
14.10.21
org.xwiki.platform:xwiki-platform-oldcore
>= 15.0-rc-1, < 15.5.5
15.5.5
org.xwiki.platform:xwiki-platform-oldcore
>= 15.6-rc-1, < 15.10.6
15.10.6
org.xwiki.platform:xwiki-platform-oldcore
= 16.0.0-rc-1
16.0.0
EPSS
9.4 Critical
CVSS4
9 Critical
CVSS3
CVE ID
Дефекты
Связанные уязвимости
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible for a user without Script or Programming rights to craft a URL pointing to a page with arbitrary JavaScript. This requires social engineer to trick a user to follow the URL. This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0.
EPSS
9.4 Critical
CVSS4
9 Critical
CVSS3