PT-2021-14461 · Xwiki · Xwiki Platform
Thomas Mortagne
·
Published
2021-03-12
·
Updated
2021-03-23
·
CVE-2021-21379
CVSS v3.1
7.7
High
| Vector | AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
XWiki Platform versions prior to 11.10.11
XWiki Platform versions prior to 12.6.3
XWiki Platform versions prior to 12.8-rc-1
Description
The
{{wikimacrocontent}} executes the content with the rights of the wiki macro author instead of the caller of that wiki macro. This makes it possible to inject scripts through it, and they will be executed with the rights of the wiki macro, often a user with Programming rights. No such macro exists by default in XWiki Standard, but one could have been created or installed with an extension.Recommendations
For versions prior to 11.10.11, update to version 11.10.11 or later.
For versions prior to 12.6.3, update to version 12.6.3 or later.
For versions prior to 12.8-rc-1, update to version 12.8-rc-1 or later.
As a temporary workaround, consider disabling the affected macros until a patch is available.
Fix
Improper Preservation of Permissions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Xwiki Platform