Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 15.6-rc-1, 14.10.14, 15.5.1
Affects Version/s: 1.7
Component/s: Administration
Labels:
Environment:
Windows 11 Pro, Edge 114, using a local instance of XWiki 15.5, Jetty/HSQLDB

Tests:

Unit
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce

As a guest user, go to <server>/xwiki/bin/view/Main/WebHome?sheet=XWiki.AdminSheet&viewer=content&section=%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%7D%7D%7B%7Bgroovy%7D%7Dservices.logging.getLogger(%22attacker%22).error(%22Attack%20succeeded!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D

Expected results
The content is not executed, no error is logged in console.

Actual results
The content is executed and the following error is displayed in the logs:

2023-07-05 15:21:50,350 [org.xwiki.rendering.async.internal.AsyncRendererJob@14a7a3cf([async, macro, xwiki:XWiki.AdminSheet, 22, author, xwiki:XWiki.superadmin, rendering.restricted, false, secureDocument, xwiki:XWiki.AdminSheet, 176])] ERROR attacker                       - Attack succeeded!

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Content_executed_Guest.png
82 kB
05/Jul/23 14:31

Issue Links

links to

Security Advisory

Activity

People

Assignee:: Michael Hamann

Reporter:: Ilie Andriuta

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Jul/23 14:31

Updated:: 03/Nov/23 14:47

Resolved:: 11/Jul/23 16:55

Date of First Response:: 11/Jul/23 5:47 PM