GHSA-9hqh-fmhg-vq2j

Suggest an improvement
Source
https://github.com/advisories/GHSA-9hqh-fmhg-vq2j
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-9hqh-fmhg-vq2j/GHSA-9hqh-fmhg-vq2j.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-9hqh-fmhg-vq2j
Aliases
Published
2022-11-21T22:34:57Z
Modified
2023-11-01T05:00:06.509354Z
Severity
  • 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml
Details

Impact

Any user with the right to edit his personal page can follow one of the scenario below:

Scenario 1: - Log in as a simple user with just edit rights on the user profile - Go to the user's profile - Upload an attachment in the attachment tab at the bottom of the page (any image is fine) - Click on "rename" in the attachment list and enter {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png as new attachment name and submit the rename - Go back to the user profile - Click on the edit icon on the user avatar - Hello from groovy! is displayed as the title of the attachment

Scenario 2: - Log in as a simple user with just edit rights on a page - Create a Page MyPage.WebHome - Create an XClass field of type String named avatar - Add an XObject of type MyPage.WebHome on the page - Insert an attachmentSelector macro in the document with the following values: - classname: MyPage.WebHome - property: avatar - savemode: direct - displayImage: true - width: ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}. You'll find below a snippet of an attachmentSelector macro declaration. - Display the page - Use the attachment picker to select an image - Hello from groovy is displayed aside the image

Example of an attachmentSelector macro declaration:

`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`

Note: The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties.

Patches

The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below:

  • 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
  • 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23
  • 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23

Workarounds

No known workaround.

References

  • https://jira.xwiki.org/browse/XWIKI-19800

For more information

If you have any questions or comments about this advisory: - Open an issue in Jira XWiki.org - Email us at Security Mailing List

Database specific
{
    "nvd_published_at": "2022-11-23T19:15:00Z",
    "github_reviewed_at": "2022-11-21T22:34:57Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-95"
    ]
}
References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-attachment-ui

Package

Name
org.xwiki.platform:xwiki-platform-attachment-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0-milestone-1
Fixed
13.10.7

Maven / org.xwiki.platform:xwiki-platform-attachment-ui

Package

Name
org.xwiki.platform:xwiki-platform-attachment-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-attachment-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
14.0.0
Fixed
14.4.2