CVE-2024-55663: XWiki Platform has an SQL injection in getdocuments.vm with sort parameter

December 12, 2024 (updated December 16, 2024)

In getdocument.vm ; the ordering of the returned documents is defined from an unsanitized request parameter (request.sort) and can allow any user to inject HQL.

Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries.

It’s possible to employ database backend dependent techniques of breaking out of HQL query context, described, for example, here: https://www.sonarsource.com/blog/exploiting-hibernate-injections.

References

github.com/advisories/GHSA-wh34-m772-5398
github.com/xwiki/xwiki-platform
github.com/xwiki/xwiki-platform/commit/673076e2e8b88a36cdeaf7007843aa9ca1a068a0
github.com/xwiki/xwiki-platform/security/advisories/GHSA-wh34-m772-5398
jira.xwiki.org/browse/XWIKI-17568
nvd.nist.gov/vuln/detail/CVE-2024-55663

Code Behaviors & Features

Detect and mitigate CVE-2024-55663 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →