logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-55877 org.xwiki.platform:xwiki-platform-help-ui

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-help-ui
Vulnerable Version: >=9.7-rc-1 <15.10.11 || >=16.0.0-rc-1 <16.4.1 || >=16.5.0-rc-1 <16.5.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.63104 pctl0.98339

Details

XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList ### Impact Any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a connected user without script nor programming rights, go to your user profile and add an object of type `XWiki.WikiMacroClass`. Set "Macro Id", "Macro Name" and "Macro Code" to any value, "Macro Visibility" to `Current User` and "Macro Description" to `{{async}}{{groovy}}println("Hello from User macro!"){{/groovy}}{{/async}}`. Save the page, then go to `<host>/xwiki/bin/view/XWiki/XWikiSyntaxMacrosList`. If the description of your new macro reads "Hello from User macro!", then your instance is vulnerable. ### Patches This vulnerability has been fixed in XWiki 15.10.11, 16.4.1 and 16.5.0. ### Workarounds It is possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3#diff-92fee29683e671b8bc668e3cf4295713d6259f715e3954876049f9de77c0a9ef) to the page `XWiki.XWikiSyntaxMacrosList`. ### References * https://jira.xwiki.org/browse/XWIKI-22030 * https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3

Metadata

Created: 2024-12-12T19:21:06Z
Modified: 2024-12-12T22:33:07Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-2r87-74cx-2p7c/GHSA-2r87-74cx-2p7c.json
CWE IDs: ["CWE-94", "CWE-96"]
Alternative ID: GHSA-2r87-74cx-2p7c
Finding: F037
Auto approve: 1