GHSA-h6f5-8jj5-cxhr

Advisory Details

### Impact

The annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document.

To reproduce: add an annotation with the content `{{groovy}}print "hello"{{/groovy}}` and click the yellow scare to get a display of the annotation inline.

The result is "hello" but it should be an error suggesting that it's not allowed to use the groovy macro.

### Patches
This has been patched in XWiki 13.10.11, 14.4.7 and 14.10.

### Workarounds
There is no easy workaround except to upgrade.

### References
https://jira.xwiki.org/browse/XWIKI-20360

https://jira.xwiki.org/browse/XWIKI-20384

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])

### Attribution

This vulnerability has been reported by René de Sain @renniepak.

Affected Packages

Maven org.xwiki.platform:xwiki-platform-annotation-ui

Affected versions: 2.3-milestone-1 (fixed in 13.10.11)

Maven org.xwiki.platform:xwiki-platform-annotation-ui

Affected versions: 14.0-rc-1 (fixed in 14.4.7)

Maven org.xwiki.platform:xwiki-platform-annotation-ui

Affected versions: 14.5 (fixed in 14.10)

Related CVEs

CVE-2023-26475

xwiki-platform vulnerable to Remote Code Execution in Annotations

Advisory Details

Affected Packages

Related CVEs

Key Information

Dataset