Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
13.4.7, 14.0-rc-1, 13.10.3
-
Unit
-
Unknown
-
N/A
-
N/A
-
Description
Steps to reproduce:
1. As a user without script or programming right, put a Groovy macro with content
{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}
in the about section of the user profile.
2. As admin, notice the malicious code and disable the user profile to prevent further actions by the user. Reload the user profile.
Expected result:
No Groovy code is executed.
Actual result:
A log message Hello from Groovy! is displayed, showing that the Groovy macro has been executed.
This seems to be a regression introduced by XWIKI-17591, there considered as a feature.
CVSS 9.0 (Critical): https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (but not that trivially exploitable)
Attachments
Issue Links
- is caused by
-
-
- Closed
-
- links to