ghsa-x37v-36wv-6v6h
Vulnerability from github
Impact
The "restricted" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this "restricted" mode for security is vulnerable to JavaScript injection ("cross-site scripting"/XSS). An example are anonymous comments in XWiki where the HTML macro filters HTML using restricted mode:
html
{{html}}
<!--> <Details Open OnToggle=confirm("XSS")>
{{/html}}
When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance.
Note that while all versions since 4.2-milestone-1 should be vulnerable, only starting with version 14.6-rc-1 the HTML comment is necessary for the attack to succeed due to another vulnerability that has been patched in version 14.6-rc-1.
Patches
This problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don't start with >.
Workarounds
There are no known workarounds apart from upgrading to a version including the fix.
References
- https://jira.xwiki.org/browse/XCOMMONS-2568
- https://jira.xwiki.org/browse/XWIKI-20348
- https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab
For more information
If you have any questions or comments about this advisory: * Open an issue in Jira XWiki * Email us at XWiki Security mailing-list
Attribution
This vulnerability was reported on Intigriti by ynoof @Ynoof5.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.xwiki.commons:xwiki-commons-xml"
},
"ranges": [
{
"events": [
{
"introduced": "4.2-milestone-1"
},
{
"fixed": "14.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-29528"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2023-04-20T20:55:02Z",
"nvd_published_at": "2023-04-20T18:15:07Z",
"severity": "CRITICAL"
},
"details": "### Impact\nThe \"restricted\" mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1 and massively improved in version 14.6-rc-1, allowed the injection of arbitrary HTML code and thus cross-site scripting via invalid HTML comments. As a consequence, any code relying on this \"restricted\" mode for security is vulnerable to JavaScript injection (\"cross-site scripting\"/XSS). An example are anonymous comments in XWiki where the HTML macro filters HTML using restricted mode:\n\n```html\n{{html}}\n\u003c!--\u003e \u003cDetails Open OnToggle=confirm(\"XSS\")\u003e\n{{/html}}\n```\n\nWhen a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance.\n\nNote that while all versions since 4.2-milestone-1 should be vulnerable, only starting with version 14.6-rc-1 the HTML comment is necessary for the attack to succeed due to [another vulnerability](https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-m3jr-cvhj-f35j) that has been patched in version 14.6-rc-1.\n\n### Patches\nThis problem has been patched in XWiki 14.10, HTML comments are now removed in restricted mode and a check has been introduced that ensures that comments don\u0027t start with `\u003e`.\n\n### Workarounds\nThere are no known workarounds apart from upgrading to a version including the fix.\n\n### References\n* https://jira.xwiki.org/browse/XCOMMONS-2568\n* https://jira.xwiki.org/browse/XWIKI-20348\n* https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki](https://jira.xwiki.org/)\n* Email us at [XWiki Security mailing-list](mailto:security@xwiki.org)\n\n### Attribution\n\nThis vulnerability was reported on Intigriti by [ynoof](https://twitter.com/ynoofAssiri) @Ynoof5.\n",
"id": "GHSA-x37v-36wv-6v6h",
"modified": "2023-04-20T20:55:02Z",
"published": "2023-04-20T20:55:02Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-x37v-36wv-6v6h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29528"
},
{
"type": "WEB",
"url": "https://github.com/xwiki/xwiki-commons/commit/8ff1a9d7e5d7b45b690134a537d53dc05cae04ab"
},
{
"type": "PACKAGE",
"url": "https://github.com/xwiki/xwiki-commons"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XCOMMONS-2568"
},
{
"type": "WEB",
"url": "https://jira.xwiki.org/browse/XWIKI-20348"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Cross-site Scripting in org.xwiki.commons:xwiki-commons-xml"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.