漏洞标题
"XWiki平台权限提升(PR)通过AWM内容字段从账户进行"
漏洞描述信息
XWiki Platform通过AWM内容字段从帐户提升权限(PR)
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
对生成代码的控制不恰当(代码注入)
漏洞标题
XWiki Platform privilege escalation (PR) from account through AWM content fields
漏洞描述信息
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can use the content field of their user profile page to execute arbitrary scripts with programming rights, thus effectively performing rights escalation. This issue is present since version 4.3M2 when AppWithinMinutes Application added support for the Content field, allowing any wiki page (including the user profile page) to use its content as an AWM Content field, which has a custom displayer that executes the content with the rights of the ``AppWithinMinutes.Content`` author, rather than the rights of the content author. The vulnerability has been fixed in XWiki 14.10.5 and 15.1RC1. The fix is in the content of the AppWithinMinutes.Content page that defines the custom displayer. By using the ``display`` script service to render the content we make sure that the proper author is used for access rights checks.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
漏洞类别
动态执行代码中指令转义处理不恰当(Eval注入)
漏洞标题
XWiki Platform 代码注入漏洞
漏洞描述信息
XWiki Platform是法国XWiki基金会的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在安全漏洞,该漏洞源于任何注册用户都可以使用其用户资料页面的内容字段执行具有编程权限的任意脚本,从而有效地进行权限升级。
CVSS信息
N/A
漏洞类别
代码注入