XWiki Commons, a set of technical libraries used by several other top-level XWiki projects, has been found to contain a critical vulnerability that could allow an attacker to execute arbitrary code on the affected system. This vulnerability has been assigned the CVE number CVE-2023-29214.
The vulnerability occurs as a result of improper escaping of the included pages in the IncludedDocuments panel, which allows any user with edit rights to execute arbitrary Groovy, Python, or Velocity code in XWiki, effectively giving full access to the XWiki installation. This security issue has since been patched, and it's available in XWiki versions 14.4.7 and 14.10.
Code Snippet
A malicious user could exploit this vulnerability by injecting a payload in the IncludedDocuments panel like this:
{{velocity}}
$current.userReference
#set($job = $services.query.xwql("from doc.object(XWiki.SchedulerJobClass) where condition").execute())
{{/velocity}}
Here, the attacker is using XWiki's Velocity scripting language to query a list of documents and potentially execute malicious code.
Original References
- The issue was tracked on the XWiki Jira site: https://jira.xwiki.org/browse/XCOMMONS-2176
- The official XWiki Commons 14.10 release notes are available here: https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/14.10/
- The official XWiki Commons 14.4.7 release notes are available here: https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/14.4.7/
Navigate to the IncludedDocuments panel and open it for editing.
3. Include a malicious payload (like the example provided in the Code Snippet section) that contains Groovy, Python, or Velocity code which the attacker wants to execute.
Patching and Mitigation
For system administrators using an affected version of XWiki, it's crucial to upgrade the software to either version 14.4.7 or 14.10, as both include the patch for this vulnerability. Furthermore, administrators should regularly audit user accounts and privileges to ensure that only trusted and authorized users have edit rights.
Conclusion
CVE-2023-29214 is a serious security vulnerability in XWiki Commons, allowing an attacker to execute arbitrary code on affected systems by exploiting improper escaping in the IncludedDocuments panel. System administrators should urgently apply patches for their XWiki installations and actively monitor user access rights to mitigate the risks posed by this vulnerability. Following best practices in code quality and security, as well as staying informed of the latest patches and updates from software vendors, can go a long way toward keeping software systems safe from exploitation.
Timeline
Published on: 04/16/2023 07:15:00 UTC
Last modified on: 04/26/2023 17:15:00 UTC