Missing Authorization Affecting org.xwiki.platform:xwiki-platform-oldcore package, versions [3.0.1,14.10.20)[15.0-rc-1,15.5.4)[15.6-rc-1,15.10-rc-1)


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.05% (18th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Missing Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGXWIKIPLATFORM-6595858
  • published11 Apr 2024
  • disclosed10 Apr 2024
  • creditUnknown

Introduced: 10 Apr 2024

CVE-2024-31981  (opens in a new tab)
CWE-862  (opens in a new tab)

How to fix?

Upgrade org.xwiki.platform:xwiki-platform-oldcore to version 14.10.20, 15.5.4, 15.10-rc-1 or higher.

Overview

org.xwiki.platform:xwiki-platform-oldcore is a generic wiki platform offering runtime services for applications built on top of it.

Affected versions of this package are vulnerable to Missing Authorization due to the improper handling of user registration and PDF export templates. An attacker can execute arbitrary code by registering a new user account with a specific username and manipulating PDF export templates through crafted style attributes.

An attacker can exploit this vulnerability if XWiki.PDFClass does not exist by adding an object of class PDFClass with a malicious style attribute.

Workaround

This vulnerability can be mitigated by creating the document XWiki.PDFClass and blocking its edition after ensuring it does not contain a style attribute. Otherwise, the instance needs to be updated.

PoC

  1. Register a new user account with username PDFClass.

  2. Switch your user account to advanced.

  3. Use the class editor on the user profile and create a new "TextArea" property with name "style". Set the content type to "Plain Text".

  4. Use the object editor on the user profile and add a new object of PDFClass. Set the "style" attribute to $services.logging.getLogger('PDFClass').error("I got programming: $services.security.authorization.hasAccess('programming')").

  5. Open <xwiki-server>/xwiki/bin/export/Main/WebHome?format=pdf&pdfcover=1&pdfcover=0&pdftoc=1&pdftoc=0&pdfheader=1&pdfheader=0&pdffooter=1&pdffooter=0&comments=0&attachments=0&pdftemplate=XWiki.PDFClass where is the URL of your XWiki installation.

CVSS Scores

version 3.1