PT-2022-16129 · Xwiki · Xwiki Platform

Jonathan Villemaire-Krajden

Published

2022-02-09

Updated

2022-02-15

CVE-2022-23616

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 13.1RC1

Description The issue allows an unprivileged user to perform a remote code execution by injecting a groovy script in her own profile and by calling the Reset password feature, as it performs a save of the user profile with programming rights.

Recommendations For versions prior to 13.1RC1, consider the following workarounds:

The Reset password feature can be entirely disabled by deleting the XWiki/ResetPassword page.
The script in XWiki/ResetPassword can also be modified or removed: an administrator can replace it with a simple email contact to ask an administrator to reset the password.

Exploit

Fix

RCE

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CVE-2022-23616

GHSA-MGJW-2WRP-R535

Affected Products

Xwiki Platform

PT-2022-16129 · Xwiki · Xwiki Platform

CVE-2022-23616

Weakness Enumeration

Related Identifiers

Affected Products

References · 10