SB2023112082 - Multiple vulnerabilities in XWiki platform

Description

This security bulletin contains information about 4 vulnerabilities.

1) Improper Authorization (CVE-ID: CVE-2023-48241)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper authorization in the Solr suggest service when handling search requests that explicitly request fields from Solr without the data needed for the rights check. A remote attacker can send a specially crafted request to disclose sensitive information.

By default, access to this service is public, and the issue can expose the content of documents across all wikis, excluding some protected information such as password hashes.

2) Eval Injection (CVE-ID: CVE-2023-46731)

The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in the Administration section display code in XWiki.AdminSheet when processing the section URL parameter. A remote attacker can send a specially crafted request to execute arbitrary code.

By default, the issue is reachable by anyone with read access to XWiki.AdminSheet, including unauthenticated users.

3) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2023-46732)

The vulnerability allows a remote attacker to execute arbitrary actions in the name of the user.

The vulnerability exists due to improper neutralization of script-related html tags in the rev parameter used by the content menu when handling a crafted link parameter. A remote attacker can trick the victim into visiting a crafted link to execute arbitrary actions in the name of the user.

If the victim has programming right, exploitation can lead to remote code execution and compromise the confidentiality, integrity and availability of the whole XWiki installation.

4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2023-48240)

The vulnerability allows a remote user to steal login and session cookies, perform server-side request forgery, and disclose protected content.

The vulnerability exists due to insertion of sensitive information into sent data and improper request destination restriction in rendered diff image fetching when processing rendered diffs with embedded external images. A remote user can embed or reference a crafted rendered diff so that the server requests attacker-controlled or protected resources to steal login and session cookies, perform server-side request forgery, and disclose protected content.

User interaction is required to view the diff or an image that references the rendered diff, and cached successful requests can be returned for other users.

Remediation

Install update from vendor's website.

References

• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7fqr-97j7-jgf4
• https://github.com/xwiki/xwiki-platform/commit/93b8ec702d7075f0f5794bb05dfb651382596764
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-62pr-qqf7-hh89
• https://github.com/xwiki/xwiki-platform/commit/fec8e0e53f9fa2c3f1e568cc15b0e972727c803a
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j9rc-w3wv-fv62
• https://github.com/xwiki/xwiki-platform/commit/04e325d57d4bcb6ab79bddcafbb19032474c2a55
• https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7rfg-6273-f5wp
• https://github.com/xwiki/xwiki-platform/commit/bff0203e739b6e3eb90af5736f04278c73c2a8bb