SB2022090868 - Multiple vulnerabilities in XWiki platform

Description

This security bulletin contains information about 12 vulnerabilities.

1) Eval Injection (CVE-ID: CVE-2022-36100)

The vulnerability allows a remote user to execute arbitrary code with programming rights.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the Main.Tags document when handling the do=viewTag request with a user-supplied tag parameter. A remote user can send a specially crafted request to execute arbitrary code with programming rights.

On public wikis, view rights on the document are granted by default, and on private wikis authenticated users typically have the required view rights. On versions before 13.10.4 and 14.2, the issue can be chained with an authentication bypass in the login action so that no rights are required.

2) Eval Injection (CVE-ID: CVE-2022-36099)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in XWikiServerClassSheet when processing a crafted URL parameter in the sheet request. A remote user can inject arbitrary wiki syntax including script macros to execute arbitrary code.

Exploitation requires view access to this sheet and to another page that has been saved with programming rights.

3) Eval Injection (CVE-ID: CVE-2022-36098)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the mentions macro UI when processing mention macro anchor or reference fields. A remote user can store specially crafted JavaScript or Groovy code in a mention macro field to execute arbitrary code.

The injected code is executed when a page containing the malicious mention is viewed.

4) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-36097)

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in the move attachment form when rendering an attachment name in the move attachment workflow. A remote user can create an attachment with a specially crafted name to execute arbitrary JavaScript in the victim's browser.

User interaction is required when a victim attempts to move the corresponding attachment.

5) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-36096)

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in the deleted attachments list when rendering attachment names. A remote user can upload an attachment with a specially crafted name to execute arbitrary JavaScript in the victim's browser.

User interaction is required to view the deleted attachments index.

6) Cross-site request forgery (CVE-ID: CVE-2022-36095)

The vulnerability allows a remote attacker to modify tags on XWiki pages.

The vulnerability exists due to cross-site request forgery (CSRF) in documentTags.vm when handling requests to add or remove tags. A remote attacker can trick a victim into sending a crafted request to modify tags on XWiki pages.

User interaction is required.

7) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2022-36094)

The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.

The vulnerability exists due to improper neutralization of script-related HTML tags in the attachment history when rendering the history of an attachment with JavaScript in its name. A remote user can upload an attachment with a specially crafted filename to execute arbitrary JavaScript in the victim's browser.

User interaction is required to view the history of the crafted attachment.

8) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2022-36093)

The vulnerability allows a remote user to create user accounts and bypass email verification.

The vulnerability exists due to authentication bypass using an alternate path or channel in the xpart template when passing a distribution wizard template to it. A remote user can pass a distribution wizard template through the xpart template to create user accounts and bypass email verification.

On private wikis, exploitation can potentially grant access to the wiki, and on public wikis the resulting account may obtain write access depending on the configured default user rights. When an external authentication system is configured, created accounts cannot authenticate unless local account bypass is supported.

9) Improper Authorization (CVE-ID: CVE-2022-36090)

The vulnerability allows a remote user to disclose sensitive information and modify data.

The vulnerability exists due to improper authorization in resource handlers, including the REST service, when handling requests from inactive users. A remote user can send a crafted REST call or access unprotected extension resource handlers to disclose sensitive information and modify data.

The issue affects inactive users, including not yet activated and disabled accounts.

10) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-29161)

The vulnerability allows a remote attacker to compromise certificate trust by exploiting weak certificate signatures.

The vulnerability exists due to use of a broken or risky cryptographic algorithm in the XWiki Crypto API certificate generation functionality when generating X509 certificates signed by default with SHA1 with RSA. A remote attacker can leverage SHA1 collision weaknesses to compromise certificate trust by exploiting weak certificate signatures.

This API is not used in XWiki Standard by default but might be used by some XWiki extensions.

11) Improper access control (CVE-ID: CVE-2023-29526)

The vulnerability allows a remote user to disclose sensitive information and interact with restricted documents.

The vulnerability exists due to improper access control in the async and display macros when rendering comment content in comments viewer mode. A remote user can create a comment containing crafted macro content to disclose sensitive information and interact with restricted documents.

Exploitation requires comment rights for the attacking user and use of the comments viewer.

12) Eval Injection (CVE-ID: CVE-2023-29519)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the attachment selector when processing the "property" field of an attachment selector as a gadget of the attacker's own dashboard. A remote attacker can inject crafted code in the "property" field to execute arbitrary code.

The issue can lead to privilege escalation. Comments of a wiki are not affected.

Remediation

Install update from vendor's website.

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2g5c-228j-p52x
• https://github.com/xwiki/xwiki-platform/commit/604868033ebd191cf2d1e94db336f0c4d9096427
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xr6m-2p4m-jvqf
• https://github.com/xwiki/xwiki-platform/commit/fc77f9f53bc65a4a9bfae3d5686615309c0c76cc
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-c5v8-2q4r-5w9v
• https://github.com/xwiki/xwiki-platform/commit/4f290d87a8355e967378a1ed6aee23a06ba162eb
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-9r9j-57rf-f6vj
• https://github.com/xwiki/xwiki-platform/commit/fbc4bfbae4f6ce8109addb281de86a03acdb9277
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gjmq-x5x7-wc36
• https://github.com/xwiki/xwiki-platform/commit/6705b0cd0289d1c90ed354bd4ecc1508c4b25745
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fxwr-4vq9-9vhj
• https://github.com/xwiki/xwiki-platform/commit/7ca56e40cf79a468cea54d3480b6b403f259f9ae
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mxf2-4r22-5hq9
• https://jira.xwiki.org/browse/XWIKI-19612
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h5j3-5x63-p8jv
• https://github.com/xwiki/xwiki-platform/commit/70c64c23f4404f33289458df2a08f7c4be022755
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jgc8-gvcx-9vfx
• https://jira.xwiki.org/browse/XWIKI-19559
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h8v5-p258-pqf4
• https://github.com/xwiki/xwiki-platform/commit/26728f3f23658288683667a5182a916c7ecefc52
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gpq5-7p34-vqx5
• https://jira.xwiki.org/browse/XWIKI-20394
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-3hjg-cghv-22ww
• https://github.com/xwiki/xwiki-platform/commit/5e8725b4272cd3e5be09d3ca84273be2da6869c1