CVE-2024-41947 – org.xwiki.platform:xwiki-platform-web-templates

Package

Manager: maven
Name: org.xwiki.platform:xwiki-platform-web-templates
Vulnerable Version: >=11.8-rc-1 <15.10.8 || >=16.0.0-rc-1 <16.3.0-rc-1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.0184 pctl0.8226

Details

XWiki Platform vulnerable to Cross-Site Scripting (XSS) through conflict resolution ### Impact By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a XWiki instance, a user with admin rights needs to edit a document without saving right away. Then, as another user without any other right than edit on the specific document, change the whole content to `<script>alert('XSS')</script>`. When the admin user then saves the document, a conflict popup appears. If they select "Fix each conflict individually" and see an alert displaying "XSS", then the instance is vulnerable. ### Patches This has been patched in XWiki 15.10.8 and 16.3.0RC1. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-21626 * https://github.com/xwiki/xwiki-platform/commit/821d43ec45e67d45a6735a0717b9b77fffc1cd9f ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)

Metadata

Created: 2024-07-31T16:54:36Z
Modified: 2024-07-31T20:20:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-692v-783f-mg8x/GHSA-692v-783f-mg8x.json
CWE IDs: ["CWE-79", "CWE-80"]
Alternative ID: GHSA-692v-783f-mg8x
Finding: F425
Auto approve: 1