logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-37901 org.xwiki.platform:xwiki-platform-search-ui

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-search-ui
Vulnerable Version: >=9.2-rc-1 <14.10.21 || >=15.0-rc-1 <15.5.5 || >=15.6-rc-1 <15.10.2

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.05403 pctl0.89759

Details

XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet ### Impact Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on an instance, as a user without script nor programming rights, add an object of type `XWiki.SearchSuggestConfig` to your profile page, and an object of type `XWiki.SearchSuggestSourceClass` as well. On this last object, set both `name` and `icon` properties to `$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')")` and `limit` and `engine` to `{{/html}}{{async}}{{velocity}}$services.logging.getLogger("attacker").error("I got programming: $services.security.authorization.hasAccess('programming')"){{/velocity}}{{/async}}`. Save and display the page. If the logs contain any message `ERROR attacker - I got programming: true` then the instance is vulnerable. ### Patches This vulnerability has been patched in XWiki 14.10.21, 15.5.5 and 15.10.2. ### Workarounds We're not aware of any workaround except upgrading. ### References - https://jira.xwiki.org/browse/XWIKI-21473 - https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e

Metadata

Created: 2024-07-31T15:24:37Z
Modified: 2024-09-06T21:41:22Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-h63h-5c77-77p5/GHSA-h63h-5c77-77p5.json
CWE IDs: ["CWE-862", "CWE-94", "CWE-95"]
Alternative ID: GHSA-h63h-5c77-77p5
Finding: F184
Auto approve: 1