GHSA-3738-p9x3-mv9r
GitHub Security Advisory
XWiki Platform vulnerable to privilege escalation via properties with wiki syntax that are executed with wrong author
Advisory Details
### Impact
It's possible to use the right of an existing document content author to execute a text area property.
To reproduce:
* As an admin with programming rights, create a new user without script or programming right.
* Login with the freshly created user.
* Insert the following text in source mode in the about section:
```
{{groovy}}println("hello from groovy!"){{/groovy}}
```
* Click "Save & View"
### Patches
This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.
### Workarounds
No known workaround.
### References
https://jira.xwiki.org/browse/XWIKI-20373
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](http://jira.xwiki.org/)
* Email us at [Security ML](mailto:[email protected])
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.