CVE-2023-29526

描述

### Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content ```{{async}}{{display reference="Menu.WebHome" /}}{{/async}}``` 3. Open the comments viewer from the menu (appends ?viewer=comments to the URL) -> the `Menu.WebHome` is displayed while the expectation would be to have an error that the current user is not allowed to see it ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. ### Workarounds There is no known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20394 https://jira.xwiki.org/browse/XRENDERING-694 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

受影響套件(2)

• Maven/org.xwiki.platform:xwiki-platform-oldcore>= 10.11.1, < 13.10.11
• Maven/org.xwiki.platform:xwiki-platform-rendering-async-macro>= 10.11.1, < 13.10.11

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-29526
• PATCHhttps://github.com/xwiki/xwiki-platform
• WEBhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gpq5-7p34-vqx5
• WEBhttps://jira.xwiki.org/browse/XRENDERING-694
• WEBhttps://jira.xwiki.org/browse/XWIKI-20394