GHSA-p5f8-qf24-24cj
GitHub Security Advisory
Velocity execution without script right through tree macro
Advisory Details
### Impact
It's possible to execute a Velocity script without script right through the document tree.
To reproduce:
* As a user without script right, create a document, e.g., named Nasty Title
* Set the document's title to `$request.requestURI`
* Click "Save & View"
* Reload the page in the browser
The navigation panel displays a document named with the current URL, showing that the Velocity code has been executed even though the user doesn't have script right.
### Patches
This has been patched in XWiki 14.10.7 and 15.2RC1.
### Workarounds
A possible workaround is to:
* modify the page XWiki.DocumentTreeMacros
* search for the code `#set ($discard = $translatedDocument.setTitle($translatedDocument.title))`
* modify it into `#set ($discard = $translatedDocument.setcomment(''))`
### References
* https://jira.xwiki.org/browse/XWIKI-20625
* https://github.com/xwiki/xwiki-platform/commit/41d7dca2d30084966ca6a7ee537f39ee8354a7e3
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)
* Email us at [Security Mailing List](mailto:[email protected])
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.