Steps to reproduce:
- Log in as a simple user with just edit rights on the user profile
- Go to the user's profile
- Upload an attachment in the attachment tab at the bottom of the page (any image is fine).
- Click on "rename" in the attachment list and enter
as new attachment name and submit the rename.
- Go back to the user profile.
- Click on the edit icon on the user avatar
The attachment with name
is displayed and can be selected as user profile.
The attachment name is displayed as Hello from groovy!.png. The attachment also cannot be selected, selecting it gives a server error.
This demonstrates a privilege escalation to programming rights from simple user rights. The actual issue is in the attachment selector macro. The macro is also vulnerable to attacks via macro parameters which probably also allow injection of code that is executed with programming rights with just view rights similar to the attack shown in
XWIKI-19752. The affects version is the version I've used to reproduce the issue but earlier versions might vulnerable, too. It may be difficult to generate a file with a vulnerable name, though, as it is not a valid filename.