GHSA-vwr6-qp4q-2wj7

Advisory Details

### Impact

One can execute any wiki content with the right of IconThemeSheet author by creating an icon theme with the following content:

```
}}}
{{async async="true"}}
{{groovy}}
println("Hello from Groovy!")
{{/groovy}}
{{/async}}
{{{
```

Can be done by creating a new page or even through the user profile for users not having edit right.

### Patches

This has been patched in XWiki 14.9, 14.4.6, and 13.10.10.

### Workarounds

An easy workaround is to actually fix the bug in the page `IconThemesCode.IconThemeSheet` by applying the following modification: https://github.com/xwiki/xwiki-platform/commit/48caf7491595238af2b531026a614221d5d61f38#diff-2ec9d716673ee049937219cdb0a92e520f81da14ea84d144504b97ab2bdae243R45

### References

https://jira.xwiki.org/browse/XWIKI-19731

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Jira](http://jira.xwiki.org)
* Email us at [Security ML](mailto:[email protected])

Affected Packages

Maven org.xwiki.platform:xwiki-platform-icon-ui

Affected versions: 6.2-milestone-1 (fixed in 13.10.10)

Maven org.xwiki.platform:xwiki-platform-icon-ui

Affected versions: 14.0 (fixed in 14.4.6)

Maven org.xwiki.platform:xwiki-platform-icon-ui

Affected versions: 14.5 (fixed in 14.9)

Related CVEs

CVE-2023-26472

XWiki Platform vulnerable to privilege escalation via async macro and IconThemeSheet from the user profile

Advisory Details

Affected Packages

Related CVEs

Key Information

Dataset