10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-29524

GHSA ID

GHSA-fc42-5w56-qw7h

EPSS Score

0.97362%

CWE

CWE-74

Published

4/20/2023

Updated

11/4/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29524

CVE-2023-29524: XWiki Platform vulnerable to code injection from account through XWiki.SchedulerJobSheet

Impact

It's possible to execute anything with the right of the Scheduler Application sheet page.

To reproduce:

As a user without script or programming rights, edit your user profile with the object editor and add a new object of type XWiki.SchedulerJobClass (search for "Scheduler")
In "Job Script", add the following {{/code}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy} {{/async}}
Click "Save & View"
If the job information isn't already displayed (you should see "Job Name", "Job Description", etc.), append ?sheet=XWiki.SchedulerJobSheet to the URL.

Patches

This has been patched in XWiki 14.10.3 and 15.0 RC1.

Workarounds

While the fix in the scheduler itself is easy, it relies on the code macro source parameter, which was introduced in 14.10.2 so you have to upgrade to benefit from it.

References

https://jira.xwiki.org/browse/XWIKI-20295 https://jira.xwiki.org/browse/XWIKI-20462

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-29524

CVE-2023-29524:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-29524

GHSA ID

GHSA-fc42-5w56-qw7h

EPSS Score

0.97362%

CWE

CWE-74

Published

4/20/2023

Updated

11/4/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-scheduler-ui	maven	>= 2.0.1, < 14.10.3	14.10.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of user-controlled input in the SchedulerJobSheet's job script rendering. The attack vector shows that user-provided content containing {{groovy}} macros gets executed when viewing the job sheet. The patch (XWIKI-20462) introduced a 'source' parameter to the code macro to validate content origin, indicating the vulnerable code was directly rendering untrusted macro content without this safeguard. The SchedulerJobSheet template would have contained the vulnerable code macro usage that allowed arbitrary script execution with scheduler application rights.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-29524: XWiki Platform vulnerable to code injection from account through XWiki.SchedulerJobSheet

Impact

Patches

Workarounds

References

For more information

CVE-2023-29524:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

10

10

CVE-2023-29524: XWiki Platform vulnerable to code injection from account through XWiki.SchedulerJobSheet

Impact

Patches

Workarounds

References

For more information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI