Details
-
Bug
-
Resolution: Fixed
-
Critical
-
3.1
-
Unit
-
Unknown
-
N/A
-
N/A
-
Pull Request accepted
-
Description
Steps to reproduce:
- As a user without script or admin right create a comment or any other content that is viewed by admins that includes the following image [[image:path:/xwiki/bin/view/Scheduler/?do=unschedule&which=Scheduler.NotificationEmailDailySender]]. Optionally, position the image outside the view by, e.g., using a negative margin.
- As admin, visit that comment.
- As admin, visit the job scheduler (at /xwiki/bin/view/Scheduler/).
Expected result:
The daily email sender job is still scheduled.
Actual result:
The daily email sender job isn't scheduled anymore.
This demonstrates a CSRF vulnerability in the job scheduler. This could also be exploited in a true cross-site attack but this is not easily exploitable in Chrome anymore since 2021 due to the Lax SameSite restrictions. The only way to still exploit this would be to actually send the user to the actual job scheduler page, in which case the user would notice the action and could undo it easily.
As this only allows scheduling/triggering/unscheduling existing jobs this has a minor impact on security. Therefore, I'm setting the priority to medium.
Attachments
Issue Links
- links to