Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-14247

User without scripting rights can execute velocity/python scripts through velocity/python gadgets in Dashboard WebHome and User Profile dashboard.

    XMLWordPrintable

Details

    • Unit
    • High
    • Easy
    • N/A
    • N/A

    Description

      Steps to reproduce:
      1. Create new user.
      2. Deny scripting right for the new user.
      3. Log in with the new user.
      4. Click Dashboard from App Panel
      5. Edit
      6. Add Velocity Gadget and write some code.
      7. Save

      Code is executed.

      The same works for User Profile dashboard.
      The same for Python macro.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-16960 Authenticated server side code execution without programming rights

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. XWIKI-17794 RCE via Gadget title

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          links to

          Web Link Github security advisory

          Activity

            People

              surli Simon Urli
              aifrim Alexandra Ifrim
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: