-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.xwiki.contrib.blog:application-blog-ui | maven | < 9.14 | 9.14 |
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability is a privilege escalation in the XWiki Blog Application, where any user with edit rights could execute code with the privileges of another user viewing the content. The root cause was the improper rendering of user-provided content, specifically the 'content' and 'extract' fields of a blog post.
The analysis of the security patch (commit b98ab6f17da3029576f42d12b4442cd555c7e0b4) reveals that the application used unsafe methods to render content in several places.
Direct Unsafe Rendering: In Velocity templates like BlogCode.xml and BlogPostLayoutImage.xml, the application was calling $doc.getRenderedContent(...) on the raw content of a blog post. This method, com.xpn.xwiki.api.Document.getRenderedContent, rendered the content with the permissions of the current user viewing the page, not the author of the post. This allowed an attacker to inject a script macro into a post, which would then be executed with the rights of whoever viewed it, including administrators.
Unsafe Script Service: In the RSS feed generation (RssCode.xml), the application used a script service method, org.xwiki.contrib.blog.script.BlogScriptService.renderRSSDescription. This function also took raw content and rendered it, leading to the same privilege escalation issue for users consuming the RSS feed.
The patch addresses these issues by:
$doc.getRenderedContent with a new, safer script service method: $services.blog.renderContentHTML.renderContentHTML function internally uses document.display(...), which is the standard, secure way to render content in XWiki as it correctly uses the author's context for execution.renderRSSDescription function.CategorySheet.xml, replacing a call to getRenderedContent with {{include reference="" author="target"/}}, which ensures the content is rendered with the author's rights.Therefore, the key functions that would appear in a runtime profile during exploitation are com.xpn.xwiki.api.Document.getRenderedContent (due to its use in the templates) and org.xwiki.contrib.blog.script.BlogScriptService.renderRSSDescription.
Ongoing coverage of React2Shell