Headline
GHSA-x7wv-5qg4-vmr6: org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right
Impact
When a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an XWiki.ComponentClass, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use this to gain programming right on the wiki. For this, the attacker needs to have edit right on at least one page to place this object and then get an admin user to edit that document.
To reproduce the problem, as a user without programming right, add an object of type XWiki.ComponentClass to any page and then edit the page as a user with programming right. There should be warning displayed, if not, the XWiki installation is vulnerable.
While such a warning didn’t exist in any version of XWiki, only in XWiki 15.9 RC1 these kinds of warnings have been introduced which is why this is considered the first version that has this vulnerability. Before that, the advice was to be careful when editing pages edited by untrusted users.
Patches
This problem has been patched in XWiki 15.10.2, 16.4.3, and 16.8.0 RC1.
Workarounds
We’re not aware of any workarounds apart from not editing pages that might have been edited by untrusted users as a user with programming rights, e.g., by using separate user accounts for admin and non-admin tasks.
Impact
When a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an XWiki.ComponentClass, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use this to gain programming right on the wiki. For this, the attacker needs to have edit right on at least one page to place this object and then get an admin user to edit that document.
To reproduce the problem, as a user without programming right, add an object of type XWiki.ComponentClass to any page and then edit the page as a user with programming right. There should be warning displayed, if not, the XWiki installation is vulnerable.
While such a warning didn’t exist in any version of XWiki, only in XWiki 15.9 RC1 these kinds of warnings have been introduced which is why this is considered the first version that has this vulnerability. Before that, the advice was to be careful when editing pages edited by untrusted users.
Patches
This problem has been patched in XWiki 15.10.2, 16.4.3, and 16.8.0 RC1.
Workarounds
We’re not aware of any workarounds apart from not editing pages that might have been edited by untrusted users as a user with programming rights, e.g., by using separate user accounts for admin and non-admin tasks.
References
- GHSA-x7wv-5qg4-vmr6
- xwiki/xwiki-platform@1a6f1b2
- https://jira.xwiki.org/browse/XWIKI-22460