Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 13.10.11, 14.4.7, 14.10
Affects Version/s: 13.0
Component/s: Old Core
Labels:

Tests:

Integration
Difficulty:
Unknown
Documentation:
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3738-p9x3-mv9r
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

As an admin with programming rights, create a new user without script or programming right.
Login with the freshly created user.
Insert the following text in source mode in the about section:
```
{{groovy}}println("hello from groovy!"){{/groovy}}
```
Click "Save & View"

Expected result:

An error is displayed in the about section that the script macro couldn't be executed.

Actual result:

The text "hello from groovy!" is displayed.

This works with any TextAreaClass property that has wiki syntax enabled and is displayed using the regular displayer, e.g., using $doc.display in a document where the content author is a user with programming right. The reason seems to be that `TextAreaClass` overrides the security document which is explicitly set by $doc.display to ensure that not the content author but the displayed object's author is used.

Attachments

Issue Links

blocks

XWIKI-20312 Stored XSS via the HTML displayer in Live Data still exploitable

Closed

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Nov/22 13:42

Updated:: 01/Mar/23 17:44

Resolved:: 17/Nov/22 12:15

Date of First Response:: 16/Nov/22 2:47 PM