Impact
It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document.
Steps to Reproduce:
- Edit your user profile with the object editor and add an object of type
DocumentSheetBinding
with value Default Class Sheet
- Edit your user profile with the wiki editor and add the syntax
{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}
- Click "Save & View"
Expected result:
An error is displayed as the user doesn't have the right to execute the Groovy macro.
Actual result:
The text "Hello from groovy!" is displayed at the top of the document.
Patches
This has been patched in XWiki 15.0-rc-1 and 14.10.4.
Workarounds
There are no known workarounds for it.
References
https://jira.xwiki.org/browse/XWIKI-20566
de72760
For more information
If you have any questions or comments about this advisory:
Impact
It's possible for a user to execute anything with the right of the author of the XWiki.ClassSheet document.
Steps to Reproduce:
DocumentSheetBinding
with valueDefault Class Sheet
{{async}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}
Expected result:
An error is displayed as the user doesn't have the right to execute the Groovy macro.
Actual result:
The text "Hello from groovy!" is displayed at the top of the document.
Patches
This has been patched in XWiki 15.0-rc-1 and 14.10.4.
Workarounds
There are no known workarounds for it.
References
https://jira.xwiki.org/browse/XWIKI-20566
de72760
For more information
If you have any questions or comments about this advisory: