Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of UIX parameters. A proof of concept exploit is to log in, add an `XWiki.UIExtensionClass` xobject to the user profile page, with an Extension Parameters content containing `label={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}`. Then, navigating to `PanelsCode.ApplicationsPanelConfigurationSheet` (i.e., `
Remediation
References
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qxjg-jhgw-qhrv
https://jira.xwiki.org/browse/XWIKI-20294
https://github.com/xwiki/xwiki-platform/commit/6de5442f3c91c3634a66c7b458d5b142e1c2a2dc
Related Vulnerabilities
CVE-2022-25918 Vulnerability in npm package shescape
CVE-2022-31367 Vulnerability in npm package @strapi/strapi
CVE-2016-20018 Vulnerability in npm package knex
CVE-2023-31103 Vulnerability in maven package org.apache.inlong:manager-pojo
CVE-2023-41037 Vulnerability in maven package org.webjars.bowergithub.openpgpjs:openpgpjs