Improper Input Validation Affecting org.xwiki.platform:xwiki-platform-tag-ui package, versions [0,13.10.6) [14.0-rc-1,14.5)


0.0
critical
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Scope

    Changed

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGXWIKIPLATFORM-3019827

  • published

    9 Sep 2022

  • disclosed

    9 Sep 2022

  • credit

    Unknown

How to fix?

Upgrade org.xwiki.platform:xwiki-platform-tag-ui to version 13.10.6, 14.5 or higher.

Overview

Affected versions of this package are vulnerable to Improper Input Validation via the tags document Main.Tags, allowing users with view rights on the document (default in a public wiki or for authenticated users on private wikis) to execute arbitrary Groovy, Python and Velocity code with programming rights.

Workaround

Users who are not able to update to the fixed versions manually apply the patch that fixes the issue to the document Main.Tags, or the updated version of that document can be imported from version 14.4 of xwiki-platform-tag-ui using the import feature in the administration UI on XWiki 10.9 and later.