Impact
On instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server.
In order to reproduce on an instance, as a normal user without script nor programming rights, go to your profile and add an object of type ExtensionCode.ExtensionClass. Set the description to {{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}} and press Save and View. If the description displays as Hello from Description without any error, then the instance is vulnerable.
Patches
This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0.
Workarounds
Since Extension Repository Application is not mandatory, it can be safely disabled on instances that do not use it.
It is also possible to manually apply this patch to the page ExtensionCode.ExtensionSheet, as well as this patch to the page ExtensionCode.ExtensionAuthorsDisplayer.
References
For more information
If you have any questions or comments about this advisory:
Impact
On instances where
Extension Repository Applicationis installed, any user can execute any code requiringprogrammingrights on the server.In order to reproduce on an instance, as a normal user without
scriptnorprogrammingrights, go to your profile and add an object of typeExtensionCode.ExtensionClass. Set the description to{{async}}{{groovy}}println("Hello from Description"){{/groovy}}{{/async}}and pressSave and View. If the description displays asHello from Descriptionwithout any error, then the instance is vulnerable.Patches
This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0.
Workarounds
Since
Extension Repository Applicationis not mandatory, it can be safely disabled on instances that do not use it.It is also possible to manually apply this patch to the page
ExtensionCode.ExtensionSheet, as well as this patch to the pageExtensionCode.ExtensionAuthorsDisplayer.References
For more information
If you have any questions or comments about this advisory: