SB2023102578 - Multiple vulnerabilities in XWiki platform

Description

This security bulletin contains information about 4 vulnerabilities.

1) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-45134)

The vulnerability allows a remote user to execute arbitrary actions with the rights of the user opening a malicious link.

The vulnerability exists due to improper neutralization of script-related HTML tags in the create page form via template provider when processing a selected template provider during document creation. A remote user can create a malicious template provider and send a crafted URL to execute arbitrary actions with the rights of the user opening a malicious link.

User interaction is required to open the crafted link, and exploitation depends on the privileges of the user who opens it.

2) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-45137)

The vulnerability allows a remote user to execute arbitrary actions with the rights of the user opening a malicious link.

The vulnerability exists due to improper neutralization of script-related HTML tags in a web page in the create document form error message in createinline.vm when handling requests for creating a document that already exists. A remote user can create a non-empty document with attack code in its name and trick the victim into opening a crafted link to execute arbitrary actions with the rights of the user opening a malicious link.

User interaction is required to open the malicious link, and the injected code is taken from the document reference of an existing document.

3) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-45136)

The vulnerability allows a remote attacker to execute arbitrary actions with the rights of the user opening a malicious link.

The vulnerability exists due to improper neutralization of script-related HTML tags in the create document form when processing a crafted page creation URL while name validation is enabled. A remote attacker can send a specially crafted link to execute arbitrary actions with the rights of the user opening a malicious link.

User interaction is required, and the issue is exposed only when document name validation according to a name strategy is enabled.

4) Code Injection (CVE-ID: CVE-2023-45135)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper neutralization of script in the page creation action when processing a user-supplied title parameter during page creation. A remote user can send a crafted link and trick the victim into clicking the "Create" button to execute arbitrary code.

User interaction is required, and the impact depends on the rights of the victim, including script execution with script right or full instance access with programming right.

Remediation

Install update from vendor's website.

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gr82-8fj2-ggc3
• https://github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2e
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-93gh-jgjj-r929
• https://github.com/xwiki/xwiki-platform/commit/ed8ec747967f8a16434806e727a57214a8843581
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj9-gcpg-4w2w
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9
• https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b