8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-35166

CVE-2023-35166: XWiki Platform vulnerable to privilege escalation (PR) from account through TipsPanel

Impact

It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension.

To reproduce:

Add an object of type UIExtensionClass
Set "Extension Point ID" to org.xwiki.platform.help.tipsPanel
Set "Extension ID" to org.xwiki.platform.user.test (needs to be unique but otherwise doesn't matter)

Set "Extension Parameters" to

tip={{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}

Set "Extension Scope" to "Current User".
Click "Save & View"
Open the "Help.TipsPanel" document at <xwiki-host>/xwiki/bin/view/Help/TipsPanel where <xwiki-host> is the URL of your XWiki installation and press refresh repeatedly.

The groovy macro is executed, after the fix you get an error instead.

Patches

This has been patched in XWiki 15.1-rc-1 and 14.10.5.

Workarounds

There are no known workarounds for it.

References

https://jira.xwiki.org/browse/XWIKI-20281
https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c28b3263#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-35166

CVE-2023-35166:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-help-ui	maven	>= 8.1-milestone-1, < 14.10.5	14.10.5
org.xwiki.platform:xwiki-platform-help-ui	maven	>= 15.0-rc-1, < 15.1-rc-1	15.1-rc-1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from how the TipsPanel processed UI extension parameters. The unpatched code in WebHome.xml retrieved the 'tip' content via $uixs.get($index).getParameters().get('tip') and rendered it without security restrictions. The patch introduced a restricted execution context ({{context restricted="true" ...}}), indicating the original lack of restrictions was the flaw. This function's failure to enforce safe execution context made it vulnerable to privilege escalation via crafted UI extensions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-35166: XWiki Platform vulnerable to privilege escalation (PR) from account through TipsPanel

Impact

Patches

Workarounds

References

For more information

CVE-2023-35166:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-35166: XWiki Platform vulnerable to privilege escalation (PR) from account through TipsPanel

Impact

Patches

Workarounds

References

For more information

8.8

8.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI