CVE-2023-45144 – com.xwiki.identity-oauth:identity-oauth-ui

Package

Manager: maven
Name: com.xwiki.identity-oauth:identity-oauth-ui
Vulnerable Version: >=1.0 <1.6

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.04053 pctl0.8807

Details

XWiki Identity Oauth Privilege escalation (PR)/remote code execution from login screen through unescaped URL parameter ### Impact When login via the OAuth method, the identityOAuth parameters, sent in a GET request is vulnerable to XSS and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The vulnerability is in [this part](https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58) of the code. ### Patches The issue has been fixed in Identity OAuth version 1.6 by https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6 . The fix is in the content of the [IdentityOAuth/LoginUIExtension](https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188) file ### Workarounds There are no known workarounds besides upgrading. ### References _Are there any links users can visit to find out more?_ * Original report: https://jira.xwiki.org/browse/XWIKI-20719

Metadata

Created: 2023-10-17T12:51:01Z
Modified: 2023-10-17T12:51:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-h2rm-29ch-wfmh/GHSA-h2rm-29ch-wfmh.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-h2rm-29ch-wfmh
Finding: F008
Auto approve: 1