GHSA-3hjg-cghv-22ww

Suggest an improvement
Source
https://github.com/advisories/GHSA-3hjg-cghv-22ww
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-3hjg-cghv-22ww/GHSA-3hjg-cghv-22ww.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3hjg-cghv-22ww
Aliases
Published
2023-04-20T22:04:49Z
Modified
2023-11-01T05:01:50.573757Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
org.xwiki.platform:xwiki-platform-attachment-ui vulnerable to Code Injection
Details

Impact

A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki.

Patches

The vulnerability has been patched in XWiki 13.10.11, 14.4.8, 14.10.2, 15.0-rc-1.

Workarounds

The problem can be worked around by applying following changes directly in XWiki.AttachmentSelector page: https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1.

References

  • https://jira.xwiki.org/browse/XWIKI-20364
  • https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Database specific
{
    "nvd_published_at": "2023-04-19T00:15:08Z",
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-20T22:04:49Z"
}
References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-attachment-ui

Package

Name
org.xwiki.platform:xwiki-platform-attachment-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0-rc-1
Fixed
13.10.11

Maven / org.xwiki.platform:xwiki-platform-attachment-ui

Package

Name
org.xwiki.platform:xwiki-platform-attachment-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0-rc-1
Fixed
14.4.8

Maven / org.xwiki.platform:xwiki-platform-attachment-ui

Package

Name
org.xwiki.platform:xwiki-platform-attachment-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.5
Fixed
14.10.2