Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 15.0-rc-1, 13.10.11, 14.10.1, 14.4.8
Affects Version/s: 4.0-milestone-2
Component/s: App Within Minutes
Labels:

Tests:

Integration
Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-44h9-xxvx-pg6x
Documentation in Release Notes:
N/A
Similar issues:

Description

Reproduction step:

Register a new user U1 (without script right)
Login as U1
Create an AWM application name "Test" (http://localhost:8080/xwiki/bin/view/AppWithinMinutes/CreateApplication?wizard=true)
Visit the new Test app (http://localhost:8080/xwiki/bin/view/Test/)

Expected results:
The users does not have more rights than necessary.

Actual result:
The user is Admin (implying Script right) of the "Test" space (including its sub-pages), allowing a untrusted user to create pages with persistence XSS (among other things).

Note 1: the affect versions needs to be refined.
Note 2: Probably a side effect by any other non-admin user clicking on "More application" at the top left is redirected to a page with the following message "You are not allowed to view this page or perform this action." (http://localhost:8080/xwiki/bin/admin/XWiki/XWikiPreferences?editor=globaladmin&section=XWiki.AddExtensions)

Attachments

Issue Links

is related to

XWIKI-7381 Add the Actions column to the applications live table

Closed

links to

Security advisory

Activity

People

Assignee:: Michael Hamann

Reporter:: Manuel Leduc

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 04/Oct/22 15:09

Updated:: 28/Jun/23 12:04

Resolved:: 07/Dec/22 17:19

Date of First Response:: 04/Oct/22 6:05 PM