You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters form_token=1&action=create.
Impact
It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the
newThemeNamerequest parameter (URL parameter), in combination with additional parametersform_token=1&action=create.For instance: http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create will execute the following groovy code:
println("hello from groovy!")on the server.Patches
This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6.
Workarounds
It is possible to edit
FlamingoThemesCode.WebHomeSheetand manually perform the changes from the patch fixing the issue.References
For more information
If you have any questions or comments about this advisory: