Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 9.14
Affects Version/s: Previous versions in xwiki-platform, 9.11.5
Labels:

Tests:

Unit
Development Priority:
High
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Log in as an unprivileged user (no edit rights besides user account) on a wiki where the blog application has been installed with programming rights.
Change the user preferences to advanced user
Edit the user profile with the object editor
Add an object of type "Blog.BlogPostClass"

Set the content of the blog post to

{{groovy}}
println("Hello from Groovy Blog post!")
{{/groovy}}

Click "Save & View"

Expected result:

An error is displayed that the groovy script macro is not allowed.

Actual result:

The text "Hello from Groovy Blog post!" is displayed.

This shows a privilege escalation from a simple account to programming rights. I've reproduced this issue on XWiki 5.1 with the bundled blog application and on XWiki 14.5 with the current (9.11.5) blog application installed by a user with programming rights.

Attachments

Issue Links

links to

Security Advisory

Activity

People

Assignee:: Michael Hamann

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 29/Jun/22 11:10

Updated:: 1 week ago 14:20

Resolved:: 05/May/25 15:55