Headline
CVE-2022-24821: [XWIKI-19155] Simple users can create global SSX/JSX without specific rights
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Simple users can create global SSX/JSX without specific rights: in theory only users with Programming Rights should be allowed to create SSX or JSX that are executed everywhere on a wiki. But a bug allow anyone with edit rights to actually create those. This issue has been patched in XWiki 13.10-rc-1, 12.10.11 and 13.4.6. There’s no easy workaround for this issue, administrators should upgrade their wiki.
The PR rights for adding an “always used” Skinx extension (be it SSX or JSX) is currently checked against the content of the document, instead of being checked against the metadata author. It means that any document with a content edited by a user with PR rights can be edited by a standard user to add a JSX that will be executed everywhere in the wiki.
Reproduction steps:
- Create a document with Admin user (who has PR rights)
- Login with a user with edit rights (no need for script rights)
- Edit the previously created document to add a Javascript object containing only console.log(“Hello hello”); and set this object to be used on the whole wiki
- Log out and navigate
Expected result:
- the console log should not be output since the user doesn’t have PR rights
Obtained result:
- the console log is displayed everywhere