XWiki Platform Realtime WYSIWYG Editor Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the XWiki Platform Realtime WYSIWYG Editor extension, affecting versions 13.9-rc-1 prior to 15.10.12, 13.9-rc-1 prior to 16.4.1, and 13.9-rc-1 prior to 16.6.0-rc-1. In the vulnerable versions, a user with edit rights can join a realtime editing session where other participants have script or programming access. This user can insert script rendering macros that are executed for those with script rights in the session, potentially leading to unauthorized access rights. The vulnerability arises because the realtime editing feature, which was experimental and not recommended in the affected versions, has become enabled by default in XWiki 16.9.0.

Impact

Exploitation of this vulnerability allows a user with edit rights to execute scripts in the context of other users with script or programming rights, potentially leading to unauthorized access or privileges.

Reproduction

To reproduce this vulnerability, a user with edit rights must join a realtime editing session. Once in the session, if another user with script or programming rights joins, the first user can insert a script rendering macro using the WYSIWYG editor. When the content is reloaded, the macro will be executed for the user with script rights, allowing the original user to gain additional access rights. This vulnerability can also be reproduced by having a user with script rights join a session where another user with only edit rights is present, enabling the execution of injected scripts.

Remediation

Users can upgrade to XWiki versions 15.10.12, 16.4.1, or 16.6.0-rc-1, where this vulnerability has been patched. Alternatively, users can disable the realtime WYSIWYG editing by turning off the 'xwiki-realtime' CKEditor plugin or by uninstalling the Realtime WYSIWYG Editor extension.