XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
Critical severity
GitHub Reviewed
Published
Jul 31, 2024
in
xwiki/xwiki-platform
•
Updated Sep 6, 2024
Package
Affected versions
>= 9.2-rc-1, < 14.10.21
>= 15.0-rc-1, < 15.5.5
>= 15.6-rc-1, < 15.10.2
Patched versions
14.10.21
15.5.5
15.10.2
Description
Published to the GitHub Advisory Database
Jul 31, 2024
Reviewed
Jul 31, 2024
Published by the National Vulnerability Database
Jul 31, 2024
Last updated
Sep 6, 2024
Impact
Any user with edit right on any page can perform arbitrary remote code execution by adding instances of
XWiki.SearchSuggestConfig
andXWiki.SearchSuggestSourceClass
to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation.To reproduce on an instance, as a user without script nor programming rights, add an object of type
XWiki.SearchSuggestConfig
to your profile page, and an object of typeXWiki.SearchSuggestSourceClass
as well. On this last object, set bothname
andicon
properties to$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')")
andlimit
andengine
to{{/html}}{{async}}{{velocity}}$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')"){{/velocity}}{{/async}}
. Save and display the page. If the logs contain any messageERROR attacker - I got programming: true
then the instance is vulnerable.Patches
This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2.
Workarounds
We're not aware of any workaround except upgrading.
References
References