Skip to content

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

Critical
surli published GHSA-9hqh-fmhg-vq2j Nov 21, 2022

Package

maven org.xwiki.platform:xwiki-platform-attachment-ui (Maven)

Affected versions

>= 5.0-milestone-1

Patched versions

14.4.2, 13.10.7, 14.5

Description

Impact

Any user with the right to edit his personal page can follow one of the scenario below:

Scenario 1:

  • Log in as a simple user with just edit rights on the user profile
  • Go to the user's profile
  • Upload an attachment in the attachment tab at the bottom of the page (any image is fine)
  • Click on "rename" in the attachment list and enter {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png as new attachment name and submit the rename
  • Go back to the user profile
  • Click on the edit icon on the user avatar
  • Hello from groovy! is displayed as the title of the attachment

Scenario 2:

  • Log in as a simple user with just edit rights on a page
  • Create a Page MyPage.WebHome
  • Create an XClass field of type String named avatar
  • Add an XObject of type MyPage.WebHome on the page
  • Insert an attachmentSelector macro in the document with the following values:
    • classname: MyPage.WebHome
    • property: avatar
    • savemode: direct
    • displayImage: true
    • width: ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}. You'll find below a snippet of an attachmentSelector macro declaration.
  • Display the page
  • Use the attachment picker to select an image
  • Hello from groovy is displayed aside the image

Example of an attachmentSelector macro declaration:

`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`

Note: The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties.

Patches

The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below:

Workarounds

No known workaround.

References

For more information

If you have any questions or comments about this advisory:

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVE ID

CVE-2022-41928

Weaknesses