Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
9.6-rc-1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to Reproduce:
- Login as a user without script or programming right.
- Go to the notifications preferences in your user profile.
- Disable the "Own Events Filter" and enable notifications in the notification menu for "Like".
- Set your first name to
{{cache id="security" timeToLive="1"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/cache}}
- Click on the like button at the bottom left of the user profile.
- Click on the notifications bell in the top bar and then on "RSS Feed".
Expected result:
The full text that we set as first name is displayed in the description of the feed item that says that the profile has been liked.
Actual result:
The text Profile of Hello from groovy! </a> .<br/> liked by Hello from groovy! </p> is displayed, showing that the Groovy macro has been executed.
This demonstrates a privilege escalation from a simple user account to programming rights/remote code execution.
Attachments
Issue Links
- is caused by
-
XWIKI-14289 Create an RSS feed for notifications
- Closed