CVE-2023-29524

Code injection from account through XWiki.SchedulerJobSheet in xwiki-platform

CVSS 10 CRITICALEPSS 76.3%CWE-74

In short

A user can inject and execute malicious code on an XWiki server by editing their profile and adding a scheduler job object with groovy code, even without programming permissions. This allows attackers to run commands with server privileges.

Technical detail

Code injection vulnerability in XWiki.SchedulerJobClass allows authenticated users without script/programming rights to execute arbitrary Groovy code on the server by adding a malicious scheduler job object through the profile editor; the injected code executes in the server context when the page is viewed, enabling full compromise of the XWiki instance.

Summary generated and translated by AI from the official description.

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute anything with the right of the Scheduler Application sheet page. A user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass, In "Job Script", groovy code can be added and will be executed in the server context on viewing. This has been patched in XWiki 14.10.3 and 15.0 RC1. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

xwiki · xwiki-platform

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fc42-5w56-qw7h https://jira.xwiki.org/browse/XWIKI-20295 https://jira.xwiki.org/browse/XWIKI-20462