Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 14.10.20, 15.5.4, 15.10-rc-1
Affects Version/s: 4.3-milestone-2
Component/s: Localization
Labels:

Tests:

Unit
Difficulty:
Unknown
Documentation:
N/A
Documentation in Release Notes:
N/A
Similar issues:

Description

Steps to reproduce:

In a multilingual wiki, as a user without script or admin right, edit a translation of AppWithinMinutes.Translations.
In the line "platform.appwithinminutes.description=" add the following at the end:
```
{{async}}{{groovy}}println("Hello from Translation"){{/groovy}}{{/async}}
```
Save
Open the app within minutes page (AppWithinMinutes.WebHome) in the same locale.

Expected result:

Translations are broken as they were edited by a user without the necessary right.

Actual result:

Translations are still displayed and the content "Hello from Translation" is displayed at the end of the introduction.

This vulnerability is probably quite old, the affects version needs to be determined. This also exploits unescaped translations like ~~XWIKI-19749~~ but through a different vector (editing existing translations without invalidating the author).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2023-10-04-17-36-56-068.png
81 kB
04/Oct/23 17:36
image-2023-10-04-17-37-12-634.png
157 kB
04/Oct/23 17:37

Issue Links

links to

Security Advisory

Activity

People

Assignee:: Pierre Jeanjean

Reporter:: Michael Hamann

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 04/Oct/23 17:39

Updated:: 10/Apr/24 09:52

Resolved:: 16/Nov/23 16:08