CVE-2023-29507 – org.xwiki.platform:xwiki-platform-oldcore

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-oldcore
Vulnerable Version: >=14.5 <14.10 || >=14.4.1 <14.4.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00646 pctl0.69801

Details

org.xwiki.platform:xwiki-platform-oldcore makes Incorrect Use of Privileged APIs with DocumentAuthors ### Impact The Document script API returns directly a DocumentAuthors allowing to set any authors to the document, which in consequence can allow subsequent executions of scripts since this author is used for checking rights. Example of such attack: ``` {{velocity}} $doc.setContent('{{velocity}}$xcontext.context.authorReference{{/velocity}}') $doc.authors.setContentAuthor('xwiki:XWiki.superadmin') $doc.getRenderedContent() {{/velocity}} ``` ### Patches The problem has been patched in XWiki 14.10 and 14.4.7 by returning a safe script API. ### Workarounds There no easy workaround apart of upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-20380 * https://github.com/xwiki/xwiki-platform/commit/905cdd7c421dbf8c565557cdc773ab1aa9028f83 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](https://jira.xwiki.org) * Email us at [security ML](mailto:security@xwiki.org)

Metadata

Created: 2023-04-12T20:36:28Z
Modified: 2025-02-06T20:02:23Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-pwfv-3cvg-9m4c/GHSA-pwfv-3cvg-9m4c.json
CWE IDs: ["CWE-648"]
Alternative ID: GHSA-pwfv-3cvg-9m4c
Finding: F034
Auto approve: 1