Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
6.3-rc-1, 6.2.4
-
Unit
-
High
-
Unknown
-
N/A
-
N/A
-
Description
To reproduce:
This actually execute a groovy macro injected in the URL as part of the error message that was supposed to print the theme name.
That page contains the following code (executed when passing an invalid form token):
{{translation key="platform.flamingo.themes.home.create.csrf" parameters="$request.newThemeName" /}}
This makes it possible to inject any wiki content by providing a value which close the translation macro and start anything else.
Attachments
Issue Links
- is related to
-
XWIKI-19746 Privilege escalation (PR) with view rights on XWiki.XWikiServerClassSheet
- Closed
- links to