logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-26477 org.xwiki.platform:xwiki-platform-flamingo-theme-ui

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-flamingo-theme-ui
Vulnerable Version: >=6.2.4 <13.10.10 || >=14.0 <14.4.6 || >=14.5 <14.9-rc-1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.49262 pctl0.97715

Details

org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability ### Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters `form_token=1&action=create`. For instance: [http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create](http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?**newThemeName**=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create) will execute the following groovy code: `println("hello from groovy!")` on the server. ### Patches This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6. ### Workarounds It is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from [the patch fixing the issue](https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284). ### References - https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284 - https://jira.xwiki.org/browse/XWIKI-19757 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Metadata

Created: 2023-03-03T22:51:02Z
Modified: 2023-03-03T22:51:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-x2qm-r4wx-8gpg/GHSA-x2qm-r4wx-8gpg.json
CWE IDs: ["CWE-94", "CWE-95"]
Alternative ID: GHSA-x2qm-r4wx-8gpg
Finding: F184
Auto approve: 1