logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-55662 org.xwiki.platform:xwiki-platform-repository-server-ui

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-repository-server-ui
Vulnerable Version: >=3.3-milestone-1 <15.10.9 || >=16.0.0-rc-1 <16.3.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.42349 pctl0.97364

Details

XWiki allows remote code execution through the extension sheet ### Impact On instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. In order to reproduce on an instance, as a normal user without `script` nor `programming` rights, go to your profile and add an object of type `ExtensionCode.ExtensionClass`. Set the description to `{{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}}` and press `Save and View`. If the description displays as `Hello from Description` without any error, then the instance is vulnerable. ### Patches This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. ### Workarounds Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it. It is also possible to manually apply [this patch](https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8#diff-9b6f9e853f23d76611967737f8c4072ffceaba4c006ca5a5e65b66d988dc084a) to the page `ExtensionCode.ExtensionSheet`, as well as [this patch](https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8#diff-d571404d94fa27360cfee64f2a11d8c819b397529db275e005606b7356610f82) to the page `ExtensionCode.ExtensionAuthorsDisplayer`. ### References * https://jira.xwiki.org/browse/XWIKI-21890 * https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Metadata

Created: 2024-12-12T19:23:04Z
Modified: 2024-12-12T19:23:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-j2pq-22jj-4pm5/GHSA-j2pq-22jj-4pm5.json
CWE IDs: ["CWE-863", "CWE-94", "CWE-96"]
Alternative ID: GHSA-j2pq-22jj-4pm5
Finding: F037
Auto approve: 1