GHSA-x37v-36wv-6v6h

Suggest an improvement
Source
https://github.com/advisories/GHSA-x37v-36wv-6v6h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-x37v-36wv-6v6h/GHSA-x37v-36wv-6v6h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-x37v-36wv-6v6h
Aliases
Published
2023-04-20T20:55:02Z
Modified
2023-11-04T05:18:54.329584Z
Severity
  • 9.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
Summary
Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml
Details

Impact

The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). An example are anonymous comments in XWiki where the HTML macro filters HTML using restricted mode:

{{html}}
<!--> &lt;Details Open OnToggle=confirm("XSS")>
{{/html}}

When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance.

Note that while all versions since 4.2-milestone-1 should be vulnerable, only starting with version 14.6-rc-1 the HTML comment is necessary for the attack to succeed due to another vulnerability that has been patched in version 14.6-rc-1.

Patches

This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with >.

Workarounds

There are no known workarounds apart from upgrading to a version including the fix.

References

  • https://jira.xwiki.org/browse/XCOMMONS-2568
  • https://jira.xwiki.org/browse/XWIKI-20348
  • https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at XWiki Security mailing-list

Attribution

This vulnerability was reported on Intigriti by ynoof @Ynoof5.

Database specific
{
    "nvd_published_at": "2023-04-20T18:15:07Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-20T20:55:02Z"
}
References

Affected packages

Maven / org.xwiki.commons:xwiki-commons-xml

Package

Name
org.xwiki.commons:xwiki-commons-xml
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.commons/xwiki-commons-xml

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.2-milestone-1
Fixed
14.10

Affected versions

4.*

4.2-milestone-1
4.2-milestone-2
4.2-milestone-3
4.2-rc-1
4.2
4.3-milestone-1
4.3-milestone-2
4.3-rc-1
4.3
4.3.1
4.4-rc-1
4.4
4.4.1
4.5-milestone-1
4.5-rc-1
4.5
4.5.1
4.5.2
4.5.3

5.*

5.0-milestone-1
5.0-milestone-2
5.0-rc-1
5.0
5.0.1
5.0.2
5.0.3
5.1-milestone-1
5.1-milestone-2
5.1-rc-1
5.1
5.2-milestone-1
5.2-milestone-2
5.2-rc-1
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.3-milestone-1
5.3-milestone-2
5.3-rc-1
5.3
5.4-milestone-1
5.4-rc-1
5.4
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.6
5.4.7

6.*

6.0-milestone-1
6.0-milestone-2
6.0-rc-1
6.0
6.0.1
6.1-milestone-1
6.1-milestone-2
6.1-rc-1
6.1
6.2-milestone-1
6.2-milestone-2
6.2-rc-1
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.3-milestone-1
6.3-milestone-2
6.3-rc-1
6.3
6.4-milestone-1
6.4-milestone-2
6.4-milestone-3
6.4-rc-1
6.4
6.4.1
6.4.2
6.4.3
6.4.4
6.4.5
6.4.6
6.4.7
6.4.8

7.*

7.0-milestone-1
7.0-milestone-2
7.0-rc-1
7.0
7.0.1
7.1-milestone-1
7.1-milestone-2
7.1-rc-1
7.1
7.1.1
7.1.2
7.1.3
7.1.4
7.2-milestone-1
7.2-milestone-2
7.2-milestone-3
7.2-rc-1
7.2
7.3-milestone-1
7.3-rc-1
7.3
7.4-milestone-1
7.4-milestone-2
7.4-rc-1
7.4
7.4.1
7.4.2
7.4.3
7.4.4
7.4.5
7.4.6

8.*

8.0-milestone-1
8.0-milestone-2
8.0-rc-1
8.0
8.1-milestone-1
8.1-milestone-2
8.1-rc-1
8.1
8.2-milestone-1
8.2-milestone-2
8.2-rc-1
8.2
8.2.1
8.2.2
8.3-milestone-2
8.3-rc-1
8.3
8.4-rc-1
8.4
8.4.1
8.4.2
8.4.3
8.4.4
8.4.5
8.4.6

9.*

9.0-rc-1
9.0
9.1-rc-1
9.1
9.1.1
9.1.2
9.2-rc-1
9.2
9.3-rc-1
9.3
9.3.1
9.4-rc-1
9.4
9.5-rc-1
9.5
9.5.1
9.6-rc-1
9.6
9.7-rc-1
9.7
9.8-rc-1
9.8
9.8.1
9.9-rc-1
9.9-rc-2
9.9
9.10-rc-1
9.10
9.10.1
9.11-rc-1
9.11
9.11.1
9.11.2
9.11.3
9.11.4
9.11.5
9.11.6
9.11.7
9.11.8
9.11.9

10.*

10.0
10.1-rc-1
10.1
10.2
10.3
10.4-rc-1
10.4
10.5-rc-1
10.5
10.6-rc-1
10.6
10.6.1
10.7-rc-1
10.7
10.7.1
10.8-rc-1
10.8
10.8.1
10.8.2
10.8.3
10.9
10.10-rc-1
10.10
10.11-rc-1
10.11
10.11.1
10.11.2
10.11.3
10.11.4
10.11.5
10.11.6
10.11.7
10.11.8
10.11.9
10.11.10
10.11.11

11.*

11.0
11.0.1
11.0.2
11.0.3
11.1-rc-1
11.1
11.2-rc-1
11.2
11.3-rc-1
11.3
11.3.1
11.3.2
11.3.3
11.3.4
11.3.5
11.3.6
11.3.7
11.4-rc-1
11.4
11.5-rc-1
11.5
11.6-rc-1
11.6
11.6.1
11.7-rc-1
11.7
11.8-rc-1
11.8
11.8.1
11.9
11.10
11.10.1
11.10.2
11.10.3
11.10.4
11.10.5
11.10.6
11.10.7
11.10.8
11.10.10
11.10.11
11.10.12
11.10.13

12.*

12.0-rc-1
12.0
12.1-rc-1
12.1
12.2
12.2.1
12.3-rc-1
12.3
12.4-rc-1
12.4
12.5-rc-1
12.5
12.5.1
12.6
12.6.1
12.6.2
12.6.3
12.6.4
12.6.5
12.6.6
12.6.7
12.6.8
12.7-rc-1
12.7
12.7.1
12.8-rc-1
12.8
12.9-rc-1
12.9
12.10
12.10.1
12.10.2
12.10.3
12.10.4
12.10.5
12.10.6
12.10.7
12.10.8
12.10.9
12.10.10
12.10.11

13.*

13.0
13.1-rc-1
13.1
13.2-rc-1
13.2
13.3-rc-1
13.3
13.4-rc-1
13.4
13.4.1
13.4.2
13.4.3
13.4.4
13.4.5
13.4.6
13.4.7
13.5-rc-1
13.5
13.6-rc-1
13.6
13.7-rc-1
13.7
13.8-rc-1
13.8
13.9-rc-1
13.9
13.10-rc-1
13.10
13.10.1
13.10.2
13.10.3
13.10.4
13.10.5
13.10.6
13.10.7
13.10.8
13.10.9
13.10.10
13.10.11

14.*

14.0-rc-1
14.0
14.1-rc-1
14.1
14.2-rc-1
14.2
14.2.1
14.3-rc-1
14.3
14.3.1
14.4-rc-1
14.4
14.4.1
14.4.2
14.4.3
14.4.4
14.4.5
14.4.6
14.4.7
14.4.8
14.5
14.6-rc-1
14.6
14.7-rc-1
14.7
14.8-rc-1
14.8
14.9-rc-1
14.9