CVE-2022-41928
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml
Description
### Impact Any user with the right to edit his personal page can follow one of the scenario below: **Scenario 1**: - Log in as a simple user with just edit rights on the user profile - Go to the user's profile - Upload an attachment in the attachment tab at the bottom of the page (any image is fine) - Click on "rename" in the attachment list and enter `{{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}.png` as new attachment name and submit the rename - Go back to the user profile - Click on the edit icon on the user avatar - `Hello from groovy!` is displayed as the title of the attachment **Scenario 2**: - Log in as a simple user with just edit rights on a page - Create a Page `MyPage.WebHome` - Create an XClass field of type String named `avatar` - Add an XObject of type `MyPage.WebHome` on the page - Insert an `attachmentSelector` macro in the document with the following values: - **classname**: `MyPage.WebHome` - **property**: `avatar` - **savemode**: `direct` - **displayImage**: `true` - **width**: `]] {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello from groovy!"){{/groovy}}{{/async}}`. You'll find below a snippet of an `attachmentSelector` macro declaration. - Display the page - Use the attachment picker to select an image - `Hello from groovy` is displayed aside the image Example of an `attachmentSelector` macro declaration: ``` `{{attachmentSelector classname="MyPage.WebHome" property="avatar" savemode="direct" displayImage="true" width="]] {{async async=~"true~" cached=~"false~" context=~"doc.reference~"~}~}{{groovy~}~}println(~"Hello from groovy!~"){{/groovy~}~}{{/async~}~}"/}}` ``` **Note**: The issue can also be reproduced by inserting the dangerous payload in the `height` or `alt` macro properties. ### Patches The issue can be fixed on a running wiki by updating `XWiki.AttachmentSelector` with the versions below: - 14.5-rc-1+: https://github.com/xwiki/xwiki-platform/commit/eb15147adf94bddb92626f862c1710d45bcd64a7#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 14.4.2+: https://github.com/xwiki/xwiki-platform/commit/c02f8eb1f3c953d124f2c097021536f8bc00fa8d#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 - 13.10.7+: https://github.com/xwiki/xwiki-platform/commit/efd0df0468d46149ba68b66660b93f31b6318515#diff-e1513599ab698991f6cbba55d38f3f464432ced8d137a668b1f7618c7e747e23 ### Workarounds No known workaround. ### References - https://jira.xwiki.org/browse/XWIKI-19800 ### For more information If you have any questions or comments about this advisory: - Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) - Email us at [Security Mailing List](mailto:security@xwiki.org)