org.xwiki.platform:xwiki-platform-livedata-macro vulnerable to Basic Cross-site Scripting

Impact

A user without script rights can introduce a stored XSS by using the Live Data macro, if the last author of the content of the page has script rights.

For instance, by adding the LiveData below in the about section of the profile of a user created by an admin.

{{liveData id="movies" properties="title,description"}}
{
  "data": {
    "count": 1,
    "entries": [
      {
        "title": "Meet John Doe",
        "url": "https://www.imdb.com/title/tt0033891/",
        "description": "<img onerror='alert(1)' src='foo' />"
      }
    ]
  },
  "meta": {
    "propertyDescriptors": [
      {
        "id": "title",
        "name": "Title",
        "visible": true,
        "displayer": {"id": "link", "propertyHref": "url"}
      },
      {
        "id": "description",
        "name": "Description",
        "visible": true,
        "displayer": "html"
      }
    ]
  }
}
{{/liveData}}

Patches

This has been patched in XWiki 14.10, 14.4.7, and 13.10.11.

Workarounds

No known workaround.

References

https://jira.xwiki.org/browse/XWIKI-20312

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira
Email us at Security ML

References

tmortagne published to xwiki/xwiki-platform Apr 12, 2023

Published to the GitHub Advisory Database Apr 12, 2023

Reviewed Apr 12, 2023

Published by the National Vulnerability Database Apr 16, 2023

Last updated Apr 26, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code