Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-22777

Privilege Escalation via Realtime Collaboration

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Critical
    • None
    • 15.10.11
    • Realtime, WYSIWYG Editor
    • Unknown

    Description

      An attacker can escalate user privileges and even gain administrative rights through the Realtime Collaboration feature. The exploitation is possible if the attacker places malicious code in their WYSIWYG editor during a Realtime Collaboration session with an administrator. The code does not need to be saved; it is executed directly in the administrator's WYSIWYG editor. The attacker can then delete the malicious code after execution, leaving no trace behind. If the target is not an administrator, the exploit can be adapted to target users with script or programming rights, resulting in a less significant but still severe impact on the system.

      Attachments

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. XWIKI-21949 Restrict the execution of script macros during a realtime WYSIWYG editing session

          • Major - Major loss of function.
          • Closed

          Activity

            People

              mflorea Marius Dumitru Florea
              CycleSEC Sebastian Klipper
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: