GHSA-f776-w9v2-7vfj

Suggest an improvement
Source
https://github.com/advisories/GHSA-f776-w9v2-7vfj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-f776-w9v2-7vfj/GHSA-f776-w9v2-7vfj.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-f776-w9v2-7vfj
Aliases
Published
2023-10-17T02:19:16Z
Modified
2023-11-01T05:03:04.488166Z
Severity
  • 10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
Summary
XWiki Change Request Application UI XSS and remote code execution through change request title
Details

Impact

It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.

Patches

The vulnerability has been fixed in Change Request 1.9.2.

Workarounds

It's possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4.

References

  • JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298
  • Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Attribution

Thanks Michael Hamann for the report.

Database specific
{
    "nvd_published_at": "2023-10-12T17:15:09Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-17T02:19:16Z"
}
References

Affected packages

Maven / org.xwiki.contrib.changerequest:application-changerequest-ui

Package

Name
org.xwiki.contrib.changerequest:application-changerequest-ui
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.contrib.changerequest/application-changerequest-ui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.11
Fixed
1.9.2