Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In `org.xwiki.platform:xwiki-platform-web` versions 7.2-milestone-2 until 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, it is possible to pass a title to the page creation action that isn't displayed at first but then executed in the second step. This can be used by an attacker to trick a victim to execute code, allowing script execution if the victim has script right or remote code execution including full access to the XWiki instance if the victim has programming right.
For the attack to work, the attacker needs to convince the victim to visit a link like `
Remediation
References
https://jira.xwiki.org/browse/XWIKI-20869
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9
https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b
Related Vulnerabilities
CVE-2022-24999 Vulnerability in maven package org.webjars:qs
CVE-2020-5259 Vulnerability in npm package dojox
CVE-2021-23337 Vulnerability in maven package org.webjars.npm:lodash
CVE-2020-7754 Vulnerability in npm package npm-user-validate
CVE-2023-32982 Vulnerability in maven package org.jenkins-ci.plugins:ansible