CVE-2023-32069 – org.xwiki.platform:xwiki-platform-test-ui

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-test-ui
Vulnerable Version: >=3.3-milestone-3 <14.10.4

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.03057 pctl0.86188

Details

Privilege escalation (PR)/RCE from account through class sheet ### Impact It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document. **Steps to Reproduce:** 1. Edit your user profile with the object editor and add an object of type `DocumentSheetBinding` with value `Default Class Sheet` 1. Edit your user profile with the wiki editor and add the syntax `{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}` 1. Click "Save & View" **Expected result:** An error is displayed as the user doesn't have the right to execute the Groovy macro. **Actual result:** The text "Hello from groovy!" is displayed at the top of the document. ### Patches This has been patched in XWiki 15.0-rc-1 and 14.10.4. ### Workarounds There are no known workarounds for it. ### References https://jira.xwiki.org/browse/XWIKI-20566 https://github.com/xwiki/xwiki-platform/commit/de72760d4a3e1e9be64a10660a0c19e9534e2ec4 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Metadata

Created: 2023-05-11T20:36:59Z
Modified: 2023-05-11T20:36:59Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-36fm-j33w-c25f/GHSA-36fm-j33w-c25f.json
CWE IDs: ["CWE-863"]
Alternative ID: GHSA-36fm-j33w-c25f
Finding: F006
Auto approve: 1