Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 15.0-rc-1, 13.10.11, 14.10.1, 14.4.8
Affects Version/s: 2.0 RC2
Component/s: Attachments
Labels:

Tests:

Unit
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

Open <xwiki_host>/xwiki/bin/view/XWiki/AttachmentSelector?docname=%5D%5D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+%22+%2B+%22from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where <xwiki_host> is the URL of your XWiki installation.

Expected result:

No text is displayed next to the cancel button.

Actual result:

The text Hello from groovy!||class="button secondary" id="attachment-picker-close"]] is displayed after the cancel button, demonstrating a privilege escalation from view rights on XWiki.AttachmentSelector to programming rights due to insufficient escaping.

Attachments

Issue Links

links to

GitHub Security Advisory

Activity

People

Assignee:: Manuel Leduc

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Oct/22 11:59

Updated:: 12/Apr/23 14:02

Resolved:: 02/Dec/22 15:12