Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In `org.xwiki.platform:xwiki-platform-web` versions 7.2-milestone-2 until 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, it is possible to pass a title to the page creation action that isn't displayed at first but then executed in the second step. This can be used by an attacker to trick a victim to execute code, allowing script execution if the victim has script right or remote code execution including full access to the XWiki instance if the victim has programming right.
For the attack to work, the attacker needs to convince the victim to visit a link like `
Remediation
References
https://jira.xwiki.org/browse/XWIKI-20869
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9
https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b
Related Vulnerabilities
CVE-2021-23380 Vulnerability in npm package roar-pidusage
CVE-2018-18854 Vulnerability in maven package io.spray:spray-json
CVE-2016-10735 Vulnerability in maven package org.webjars:bootstrap-sass
CVE-2018-8815 Vulnerability in maven package org.opencms:opencms-core
CVE-2017-16036 Vulnerability in npm package badjs-sourcemap-server