SB2022040846 - Multiple vulnerabilities in XWiki platform

Description

This security bulletin contains information about 8 vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2022-31167)

The vulnerability allows a remote user to disclose sensitive information and modify authorization rules.

The vulnerability exists due to improper authorization in the security cache when checking rights for a page and a space that share the same reference. A remote user can create a page with the same name as a space and check its rights first to disclose sensitive information and modify authorization rules.

The issue is caused by rules for document Page1.Page2 and space Page1.Page2 being stored in the same cache entry.

2) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-29252)

The vulnerability allows a remote attacker to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the WikiManager.JoinWiki page when processing the "requestJoin" field. A remote attacker can submit crafted input to execute arbitrary script in a victim's browser.

User interaction is required for exploitation.

3) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-29258)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to cross-site scripting in the Filter.FilterStreamDescriptorForm wiki page when rendering form fields on the application home page. A remote attacker can inject crafted script content to disclose sensitive information.

User interaction is required to trigger the issue.

4) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-29251)

The vulnerability allows a remote user to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in FlamingoThemesCode.WebHomeSheet when processing the "newThemeName" form field. A remote user can submit a specially crafted form value to execute arbitrary script in the victim's browser.

User interaction is required for exploitation.

5) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-23622)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to cross-site scripting in the registerinline.vm template when handling the xredirect hidden field. A remote attacker can supply a crafted xredirect value to disclose sensitive information.

This template is only used when the wiki is open to registration for anyone and the registration page is forbidden in view for guest users. User interaction is required.

6) Incorrect Use of Privileged APIs (CVE-ID: CVE-2022-24821)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to incorrect use of privileged APIs in the org.xwiki.platform.skin.skinx package when creating global SSX or JSX. A remote user can create global SSX or JSX without programming rights to disclose sensitive information.

User interaction is required.

7) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2022-24820)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in multiple velocity templates when rendering velocity documents. A remote attacker can render crafted velocity documents to disclose sensitive information.

Hidden documents can be listed even when the guest user does not have permission to view wiki pages.

8) Exposure of Private Information ('Privacy Violation') (CVE-ID: CVE-2022-24819)

The vulnerability allows a remote attacker to disclose information about wiki users.

The vulnerability exists due to exposure of private personal information to an unauthorized actor in uorgsuggest.vm when handling requests for user-related document suggestions. A remote attacker can request the vulnerable endpoint to disclose information about wiki users.

A guest user without the right to view wiki pages can still list documents related to users of the wiki.

Remediation

Install update from vendor's website.

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gg53-wf5x-r3r6
• https://jira.xwiki.org/browse/XWIKI-14075
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ph5x-h23x-7q5q
• https://github.com/xwiki/xwiki-platform/commit/27f839133d41877e538d35fa88274b50a1c00b9b
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xjfw-5vv5-vjq2
• https://github.com/xwiki/xwiki-platform/commit/21906acb5ee2304552f56f9bbdbf8e7d368f7f3a
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-vmhh-xh3g-j992
• https://github.com/xwiki/xwiki-platform/commit/bd935320bee3c27cf7548351b1d0f935f116d437
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx6h-936c-vrrr
• https://jira.xwiki.org/browse/XWIKI-19291
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghcq-472w-vf4h
• https://jira.xwiki.org/browse/XWIKI-19155
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qpp2-2mcp-2wm5
• https://jira.xwiki.org/browse/XWIKI-16544
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-97jg-43c9-q6pf
• https://jira.xwiki.org/browse/XWIKI-18850