Skip to content

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml

Critical severity GitHub Reviewed Published Nov 21, 2022 in xwiki/xwiki-platform • Updated Feb 3, 2023

Package

maven org.xwiki.platform:xwiki-platform-attachment-ui (Maven)

Affected versions

>= 5.0-milestone-1, < 13.10.7
>= 14.0.0, < 14.4.2

Patched versions

13.10.7
14.4.2

Description

Impact

Any user with the right to edit his personal page can follow one of the scenario below:

Scenario 1:

  • Log in as a simple user with just edit rights on the user profile
  • Go to the user's profile
  • Upload an attachment in the attachment tab at the bottom of the page (any image is fine)
  • Click on "rename" in the attachment list and enter {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png as new attachment name and submit the rename
  • Go back to the user profile
  • Click on the edit icon on the user avatar
  • Hello from groovy! is displayed as the title of the attachment

Scenario 2:

  • Log in as a simple user with just edit rights on a page
  • Create a Page MyPage.WebHome
  • Create an XClass field of type String named avatar
  • Add an XObject of type MyPage.WebHome on the page
  • Insert an attachmentSelector macro in the document with the following values:
    • classname: MyPage.WebHome
    • property: avatar
    • savemode: direct
    • displayImage: true
    • width: ]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}. You'll find below a snippet of an attachmentSelector macro declaration.
  • Display the page
  • Use the attachment picker to select an image
  • Hello from groovy is displayed aside the image

Example of an attachmentSelector macro declaration:

`{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}`

Note: The issue can also be reproduced by inserting the dangerous payload in the height or alt macro properties.

Patches

The issue can be fixed on a running wiki by updating XWiki.AttachmentSelector with the versions below:

Workarounds

No known workaround.

References

For more information

If you have any questions or comments about this advisory:

References

@surli surli published to xwiki/xwiki-platform Nov 21, 2022
Published to the GitHub Advisory Database Nov 21, 2022
Reviewed Nov 21, 2022
Published by the National Vulnerability Database Nov 23, 2022
Last updated Feb 3, 2023

Severity

Critical

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS score

0.126%
(48th percentile)

Weaknesses

CVE ID

CVE-2022-41928

GHSA ID

GHSA-9hqh-fmhg-vq2j

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.