CVE-2023-41046 – Velocity execution without script rights in Xwiki platform
https://notcve.org/view.php?id=CVE-2023-41046
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It is possible in XWiki to execute Velocity code without having script right by creating an XClass with a property of type "TextArea" and content type "VelocityCode" or "VelocityWiki". For the former, the syntax of the document needs to be set the `xwiki/1.0` (this syntax doesn't need to be installed). In both cases, when adding the property to an object, the Velocity code is executed regardless of the rights of the author of the property (edit right is still required, though). In both cases, the code is executed with the correct context author so no privileged APIs can be accessed. • https://github.com/xwiki/xwiki-platform/commit/edc52579eeaab1b4514785c134044671a1ecd839 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-m5m2-h6h9-p2c8 https://jira.xwiki.org/browse/XWIKI-20847 https://jira.xwiki.org/browse/XWIKI-20848 • CWE-862: Missing Authorization •
CVE-2023-40573 – XWiki Platform's Groovy jobs check the wrong author, allowing remote code execution
https://notcve.org/view.php?id=CVE-2023-40573
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki supports scheduled jobs that contain Groovy scripts. Currently, the job checks the content author of the job for programming right. However, modifying or adding a job script to a document doesn't modify the content author. Together with a CSRF vulnerability in the job scheduler, this can be exploited for remote code execution by an attacker with edit right on the wiki. • https://github.com/xwiki/xwiki-platform/commit/fcdcfed3fe2e8a3cad66ae0610795a2d58ab9662 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-8xhr-x3v8-rghj https://jira.xwiki.org/browse/XWIKI-20852 • CWE-284: Improper Access Control •
CVE-2023-40572 – XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action
https://notcve.org/view.php?id=CVE-2023-40572
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation. • https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6m https://jira.xwiki.org/browse/XWIKI-20849 • CWE-352: Cross-Site Request Forgery (CSRF) •