Headline
GHSA-m9x4-w7p9-mxhx: XWiki allows Reflected XSS in two templates
Impact
Reflected XSS vulnerabilities in two templates allow an attacker to execute malicious JavaScript code in the context of the victim’s session by getting the victim to visit an attacker-controlled URL. PoC URLs are /xwiki/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=<img src=1 onerror=alert(document.domain)> and /xwiki/bin/view/Main/?xpage=distribution&extensionId=%3Cimg src=x onerror=alert(document.domain)%3E&extensionVersionConstraint=%3Cimg src=x onerror=alert(document.domain)%3E. This allows the attacker to perform arbitrary actions using the permissions of the victim.
Patches
The problem has been patched in XWiki 16.4.8, 16.10.6 and 17.3.0RC1 by adding escaping in the affected templates.
Workarounds
The affected templates can be patched manually in the WAR by applying the same changes as in the patch.
Attribution
The vulnerability involving job_status_json has been reported as “Unauth Reflected XSS” vulnerability by Aleksey Solovev (Positive Technologies), and the vulnerability involving distribution has been reported as “Auth Admin Reflected XSS” vulnerability by Evgeny Kopytin (Positive Technologies). According to our analysis, both vulnerabilities can be exploited against both unauthenticated and authenticated victims (including victims with admin privileges) which is why we publish them together in this advisory.
Impact
Reflected XSS vulnerabilities in two templates allow an attacker to execute malicious JavaScript code in the context of the victim’s session by getting the victim to visit an attacker-controlled URL. PoC URLs are /xwiki/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=<img src=1 onerror=alert(document.domain)> and /xwiki/bin/view/Main/?xpage=distribution&extensionId=%3Cimg src=x onerror=alert(document.domain)%3E&extensionVersionConstraint=%3Cimg src=x onerror=alert(document.domain)%3E. This allows the attacker to perform arbitrary actions using the permissions of the victim.
Patches
The problem has been patched in XWiki 16.4.8, 16.10.6 and 17.3.0RC1 by adding escaping in the affected templates.
Workarounds
The affected templates can be patched manually in the WAR by applying the same changes as in the patch.
Attribution
The vulnerability involving job_status_json has been reported as “Unauth Reflected XSS” vulnerability by Aleksey Solovev (Positive Technologies), and the vulnerability involving distribution has been reported as “Auth Admin Reflected XSS” vulnerability by Evgeny Kopytin (Positive Technologies). According to our analysis, both vulnerabilities can be exploited against both unauthenticated and authenticated victims (including victims with admin privileges) which is why we publish them together in this advisory.
References
- GHSA-m9x4-w7p9-mxhx
- xwiki/xwiki-platform@e5926a9
- https://jira.xwiki.org/browse/XWIKI-23096