Common Weakness Enumeration

CWE-95

Allowed

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Abstraction: Variant · Status: Incomplete

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

262 vulnerabilities reference this CWE, most recent first.

GHSA-W392-75Q8-VR67

Vulnerability from github – Published: 2024-09-18 15:30 – Updated: 2024-09-18 17:39
VLAI
Summary
Guardrails has an arbitrary code execution vulnerability
Details

An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user's machine.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "guardrails-ai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.2.9"
            },
            {
              "fixed": "0.5.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-18T17:39:32Z",
    "nvd_published_at": "2024-09-18T15:15:16Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user\u0027s machine.",
  "id": "GHSA-w392-75q8-vr67",
  "modified": "2024-09-18T17:39:33Z",
  "published": "2024-09-18T15:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45858"
    },
    {
      "type": "WEB",
      "url": "https://github.com/guardrails-ai/guardrails/commit/ab12701e8c3ef41273ff9b3912f2e4e28ae8306f"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/guardrails-ai/guardrails"
    },
    {
      "type": "WEB",
      "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-guardrails"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Guardrails has an arbitrary code execution vulnerability"
}

GHSA-W3PJ-WH35-FQ8W

Vulnerability from github – Published: 2025-02-05 15:32 – Updated: 2025-02-05 15:32
VLAI
Summary
GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions
Details

Summary

Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.

Details

The following methods pass XPath expressions to the commons-jxpath library which can execute arbitrary code and would be a security issue if the XPath expressions are provided by user input.

  • org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)
  • org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)
  • org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)
  • org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get(Object, String, Class<T>)
  • org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.set(Object, String, Object, Class)
  • org.geotools.data.complex.expression.MapPropertyAccessorFactory.new PropertyAccessor() {...}.get(Object, String, Class<T>)
  • org.geotools.xsd.StreamingParser.StreamingParser(Configuration, InputStream, String)

PoC

The following inputs to StreamingParser will delay the response by five seconds:

        new org.geotools.xsd.StreamingParser(
                        new org.geotools.filter.v1_0.OGCConfiguration(),
                        new java.io.ByteArrayInputStream("<Filter></Filter>".getBytes()),
                        "java.lang.Thread.sleep(5000)")
                .parse();

Impact

This vulnerability can lead to executing arbitrary code.

Mitigation

GeoTools can operate with reduced functionality by removing the gt-complex jar from your application. As an example of the impact application schema datastore would not function without the ability to use XPath expressions to query complex content.

The SourceForge download page lists drop-in-replacement jars for GeoTools: 31.1, 30.3, 30.2, 29.2, 28.2, 27.5, 27.4, 26.7, 26.4, 25.2, 24.0. These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.

References

https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv https://osgeo-org.atlassian.net/browse/GEOT-7587 https://github.com/geotools/geotools/pull/4797 https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-app-schema"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "30.0"
            },
            {
              "fixed": "30.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-complex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "30.0"
            },
            {
              "fixed": "30.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools.xsd:gt-xsd-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "30.0"
            },
            {
              "fixed": "30.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-app-schema"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "31.0"
            },
            {
              "fixed": "31.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-complex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "31.0"
            },
            {
              "fixed": "31.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools.xsd:gt-xsd-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "31.0"
            },
            {
              "fixed": "31.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-app-schema"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "29.0"
            },
            {
              "fixed": "29.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-complex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "29.0"
            },
            {
              "fixed": "29.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools.xsd:gt-xsd-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "29.0"
            },
            {
              "fixed": "29.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-app-schema"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "28.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools:gt-complex"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "28.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.geotools.xsd:gt-xsd-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "28.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-36404"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-05T15:32:02Z",
    "nvd_published_at": "2024-07-02T14:15:13Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nRemote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input.\n\n### Details\nThe following methods pass XPath expressions to the `commons-jxpath` library which can execute arbitrary code and would be a security issue if the XPath expressions are provided by user input.\n\n* `org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)`\n* `org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)`\n* `org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)`\n* `org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get(Object, String, Class\u003cT\u003e)`\n* `org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.set(Object, String, Object, Class)`\n* `org.geotools.data.complex.expression.MapPropertyAccessorFactory.new PropertyAccessor() {...}.get(Object, String, Class\u003cT\u003e)`\n* `org.geotools.xsd.StreamingParser.StreamingParser(Configuration, InputStream, String)`\n\n### PoC\nThe following inputs to StreamingParser will delay the response by five seconds:\n```\n        new org.geotools.xsd.StreamingParser(\n                        new org.geotools.filter.v1_0.OGCConfiguration(),\n                        new java.io.ByteArrayInputStream(\"\u003cFilter\u003e\u003c/Filter\u003e\".getBytes()),\n                        \"java.lang.Thread.sleep(5000)\")\n                .parse();\n```\n\n### Impact\n\nThis vulnerability can lead to executing arbitrary code.\n\n### Mitigation\n\nGeoTools can operate with reduced functionality by removing the `gt-complex` jar from your application.  As an example of the impact application schema datastore would not function without the ability to use XPath expressions to query complex content.\n\nThe SourceForge download page lists drop-in-replacement jars for GeoTools: [31.1](https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1/), [30.3](https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download), [30.2](https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download), [29.2](https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download), [28.2](https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download), [27.5](https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download), [27.4](https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download), [26.7](https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download), [26.4](https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4/), [25.2](https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download), [24.0](https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download). These jars are for download only and are not available from maven central, intended to quickly provide a fix to affected applications.\n\n### References\nhttps://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv\nhttps://osgeo-org.atlassian.net/browse/GEOT-7587\nhttps://github.com/geotools/geotools/pull/4797\nhttps://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852",
  "id": "GHSA-w3pj-wh35-fq8w",
  "modified": "2025-02-05T15:32:03Z",
  "published": "2025-02-05T15:32:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-36404"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/pull/4797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/geotools/geotools/commit/f0c9961dc4d40c5acfce2169fab92805738de5ea"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2031%20Releases/31.1"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.3/geotools-30.3-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2030%20Releases/30.2/geotools-30.2-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2029%20Releases/29.2/geotools-29.2-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2028%20Releases/28.2/geotools-28.2-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.5/geotools-27.5-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2027%20Releases/27.4/geotools-27.4-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.7/geotools-26.7-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2026%20Releases/26.4"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2025%20Releases/25.2/geotools-25.2-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/geotools/files/GeoTools%2024%20Releases/24.0/geotools-24.0-patches.zip/download"
    },
    {
      "type": "WEB",
      "url": "https://osgeo-org.atlassian.net/browse/GEOT-7587"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/geotools/geotools"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Warxim/CVE-2022-41852?tab=readme-ov-file#workaround-for-cve-2022-41852"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GeoTools Remote Code Execution (RCE) vulnerability in evaluating XPath expressions"
}

GHSA-W56X-9778-RPPX

Vulnerability from github – Published: 2026-06-22 20:09 – Updated: 2026-06-22 20:09
VLAI
Summary
xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro
Details

Summary

The excerpt-include macro does not properly escape the title of the included page and executes the content of the excerpt with the macro's rights. Therefore, it is vulnerable to XWiki syntax injection via the included page's title and content, allowing remote code execution for any user who can edit a page.

Details

The title of the included page isn't escaped in ExcerptInclude.xml#L277. Further, the content of the excerpt macro is rendered to XWiki syntax and output into the macro's content such that it is executed with the macro's rights.

PoC

  1. As a user without script or programming right, create a page named Exploit.
  2. In the edit screen, change the title to {{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}}.
  3. Set the content to
{{excerpt-include 0="Exploit.WebHome"}}{{/excerpt-include}}

{{excerpt}}
  {{async}}{{groovy}}println("Hello from Groovy content!"){{/groovy}}{{/async}}
{{/excerpt}}
  1. Save and view the page.
  2. If this displays "Hello from Groovy Title!" without the surrounding macro code or "Hello from Groovy content!", the attack succeeded.

Impact

Remote code execution impacts the confidentiality, integrity and availability of the whole XWiki installation.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.xwiki.pro:xwiki-pro-macros"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.13"
            },
            {
              "fixed": "1.14.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44179"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-22T20:09:59Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe excerpt-include macro does not properly escape the title of the included page and executes the content of the excerpt with the macro\u0027s rights. Therefore, it is vulnerable to XWiki syntax injection via the included page\u0027s title and content, allowing remote code execution for any user who can edit a page.\n\n### Details\nThe title of the included page isn\u0027t escaped in [ExcerptInclude.xml#L277](https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/ExcerptInclude.xml#L277). Further, the content of the excerpt macro is rendered to XWiki syntax and output into the macro\u0027s content such that it is executed with the macro\u0027s rights.\n\n### PoC\n1. As a user without script or programming right, create a page named `Exploit`.\n2. In the edit screen, change the title to `{{async}}{{groovy}}println(\"Hello from Groovy Title!\"){{/groovy}}{{/async}}`.\n3. Set the content to\n```\n{{excerpt-include 0=\"Exploit.WebHome\"}}{{/excerpt-include}}\n\n{{excerpt}}\n  {{async}}{{groovy}}println(\"Hello from Groovy content!\"){{/groovy}}{{/async}}\n{{/excerpt}}\n```\n4. Save and view the page.\n5. If this displays \"Hello from Groovy Title!\" without the surrounding macro code or \"Hello from Groovy content!\", the attack succeeded.\n\n### Impact\nRemote code execution impacts the confidentiality, integrity and availability of the whole XWiki installation.",
  "id": "GHSA-w56x-9778-rppx",
  "modified": "2026-06-22T20:09:59Z",
  "published": "2026-06-22T20:09:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-w56x-9778-rppx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwikisas/xwiki-pro-macros"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "xwiki-pro-macros has remote code execution from page title and content via excerpt-include macro"
}

GHSA-W757-4QV9-MGHP

Vulnerability from github – Published: 2026-01-13 19:01 – Updated: 2026-01-14 21:44
VLAI
Summary
openc3-api Vulnerable to Unauthenticated Remote Code Execution
Details

Summary

OpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval().

Because the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401).

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "openc3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.6"
            },
            {
              "fixed": "6.10.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-68271"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T19:01:49Z",
    "nvd_published_at": "2026-01-13T19:16:14Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nOpenC3 COSMOS contains a critical remote code execution vulnerability reachable through the JSON-RPC API. When a JSON-RPC request uses the string form of certain APIs, attacker-controlled parameter text is parsed into values using String#convert_to_value. For array-like inputs, convert_to_value executes eval().\n\nBecause the cmd code path parses the command string before calling authorize(), an unauthenticated attacker can trigger Ruby code execution even though the request ultimately fails authorization (401).",
  "id": "GHSA-w757-4qv9-mghp",
  "modified": "2026-01-14T21:44:52Z",
  "published": "2026-01-13T19:01:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OpenC3/cosmos/security/advisories/GHSA-w757-4qv9-mghp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68271"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OpenC3/cosmos/commit/01e9fbc5e66e9a2500b71a75a44775dd1fc2d1de"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OpenC3/cosmos"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/openc3/CVE-2025-68271.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "openc3-api Vulnerable to Unauthenticated Remote Code Execution"
}

GHSA-W7V9-FC49-4QG4

Vulnerability from github – Published: 2023-04-12 20:35 – Updated: 2023-04-26 20:33
VLAI
Summary
org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability
Details

Impact

Any user with view rights WikiManager.DeleteWiki can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the wikiId url parameter.

A proof of concept exploit is to open /xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where is the URL of your XWiki installation.

Patches

The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10.

Workarounds

The issue can be fixed manually applying this patch.

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3-milestone-2"
            },
            {
              "fixed": "13.10.11"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0-rc-1"
            },
            {
              "fixed": "14.4.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-29211"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-12T20:35:30Z",
    "nvd_published_at": "2023-04-16T07:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nAny user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter.\n\nA proof of concept exploit is to open \u003cxwiki-host\u003e/xwiki/bin/view/WikiManager/DeleteWiki?wikiId=%22+%2F%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D where \u003cxwiki-host\u003e is the URL of your XWiki installation.\n\n### Patches\nThe problem has been patched on XWiki  13.10.11, 14.4.7, and 14.10.\n\n### Workarounds\nThe issue can be fixed manually applying this [patch](https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64).\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
  "id": "GHSA-w7v9-fc49-4qg4",
  "modified": "2023-04-26T20:33:26Z",
  "published": "2023-04-12T20:35:30Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-w7v9-fc49-4qg4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-29211"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/ba4c76265b0b8a5e2218be400d18f08393fe1428#diff-64f39f5f2cc8c6560a44e21a5cfd509ef00e8a2157cd9847c9940a2e08ea43d1R63-R64"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-20297"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "org.xwiki.platform:xwiki-platform-wiki-ui-mainwiki Eval Injection vulnerability"
}

GHSA-WCJW-3V6P-4V3R

Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-09-16 21:57
VLAI
Summary
MindsDB Eval Injection vulnerability
Details

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mindsdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.10.3.0"
            },
            {
              "fixed": "24.7.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45846"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-12T17:04:00Z",
    "nvd_published_at": "2024-09-12T13:15:12Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted \u2018SELECT WHERE\u2019 clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server.",
  "id": "GHSA-wcjw-3v6p-4v3r",
  "modified": "2024-09-16T21:57:30Z",
  "published": "2024-09-12T15:33:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45846"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mindsdb/mindsdb/commit/11a4db792ad36cf704f7307c7602128b17752c80"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mindsdb/mindsdb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-77.yaml"
    },
    {
      "type": "WEB",
      "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MindsDB Eval Injection vulnerability"
}

GHSA-WF9G-C67G-H4CH

Vulnerability from github – Published: 2024-09-12 15:33 – Updated: 2024-09-16 22:33
VLAI
Summary
MindsDB Eval Injection vulnerability
Details

An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an ‘INSERT’ query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mindsdb"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "23.10.5.0"
            },
            {
              "fixed": "24.7.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-45851"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-12T17:03:51Z",
    "nvd_published_at": "2024-09-12T13:15:14Z",
    "severity": "HIGH"
  },
  "details": "An arbitrary code execution vulnerability exists in versions 23.10.5.0 up to 24.7.4.1 of the MindsDB platform, when the Microsoft SharePoint integration is installed on the server. For databases created with the SharePoint engine, an \u2018INSERT\u2019 query can be used for list item creation. If such a query is specially crafted to contain Python code and is run against the database, the code will be passed to an eval function and executed on the server.",
  "id": "GHSA-wf9g-c67g-h4ch",
  "modified": "2024-09-16T22:33:29Z",
  "published": "2024-09-12T15:33:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45851"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mindsdb/mindsdb/commit/11a4db792ad36cf704f7307c7602128b17752c80"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mindsdb/mindsdb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/mindsdb/PYSEC-2024-81.yaml"
    },
    {
      "type": "WEB",
      "url": "https://hiddenlayer.com/sai-security-advisory/2024-09-mindsdb"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "MindsDB Eval Injection vulnerability"
}

GHSA-X2QM-R4WX-8GPG

Vulnerability from github – Published: 2023-03-03 22:51 – Updated: 2023-03-03 22:51
VLAI
Summary
org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability
Details

Impact

It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the newThemeName request parameter (URL parameter), in combination with additional parameters form_token=1&action=create.

For instance: http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create will execute the following groovy code: println("hello from groovy!") on the server.

Patches

This has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6.

Workarounds

It is possible to edit FlamingoThemesCode.WebHomeSheet and manually perform the changes from the patch fixing the issue.

References

  • https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284
  • https://jira.xwiki.org/browse/XWIKI-19757

For more information

If you have any questions or comments about this advisory: * Open an issue in Jira XWiki.org * Email us at Security Mailing List

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.2.4"
            },
            {
              "fixed": "13.10.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.0"
            },
            {
              "fixed": "14.4.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "14.5"
            },
            {
              "fixed": "14.9-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-26477"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-03T22:51:02Z",
    "nvd_published_at": "2023-03-02T18:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nIt\u0027s possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters `form_token=1\u0026action=create`.\n\nFor instance: [http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D\u0026form_token=1\u0026action=create](http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?**newThemeName**=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D\u0026form_token=1\u0026action=create) will execute the following groovy code: `println(\"hello from groovy!\")` on the server.\n\n### Patches\nThis has been patched in the supported versions 13.10.10, 14.9-rc-1, and 14.4.6.\n\n### Workarounds\nIt is possible to edit `FlamingoThemesCode.WebHomeSheet` and manually perform the changes from [the patch fixing the issue](https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284).\n\n### References\n- https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284\n- https://jira.xwiki.org/browse/XWIKI-19757\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Jira XWiki.org](https://jira.xwiki.org/)\n* Email us at [Security Mailing List](mailto:security@xwiki.org)\n",
  "id": "GHSA-x2qm-r4wx-8gpg",
  "modified": "2023-03-03T22:51:02Z",
  "published": "2023-03-03T22:51:02Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-x2qm-r4wx-8gpg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26477"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/ea2e615f50a918802fd60b09ec87aa04bc6ea8e2#diff-e2153fa59f9d92ef67b0afbf27984bd17170921a3b558fac227160003d0dfd2aR283-R284"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-19757"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability"
}

GHSA-XM4H-3JXR-M3C6

Vulnerability from github – Published: 2024-04-10 17:13 – Updated: 2024-04-10 22:01
VLAI
Summary
XWiki Platform: Remote code execution through space title and Solr space facet
Details

Impact

By creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation.

To reproduce, as a user without script nor programming rights, create a document with title {{/html}}{{async}}{{groovy}}println("Hello from Groovy Title!"){{/groovy}}{{/async}} and content Test Document. Using the search UI, search for "Test Document", then deploy the Location facet on the right of the screen, next to the search results. The installation is vulnerable if you see an item such as:

Hello from Groovy Title!
</a>
<div class="itemCount">1</div>
</li>
</ul>
{{/html}}

Patches

This has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1.

Workarounds

Modify the Main.SolrSpaceFacet page following this patch.

References

  • https://jira.xwiki.org/browse/XWIKI-21471
  • https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb
  • https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2-rc-1"
            },
            {
              "fixed": "14.10.20"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.0-rc-1"
            },
            {
              "fixed": "15.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.xwiki.platform:xwiki-platform-search-solr-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "15.6-rc-1"
            },
            {
              "fixed": "15.10-rc-1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-31984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94",
      "CWE-95"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-10T17:13:15Z",
    "nvd_published_at": "2024-04-10T20:15:08Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nBy creating a document with a specially crafted title, it is possible to trigger remote code execution in the (Solr-based) search in XWiki. This allows any user who can edit the title of a space (all users by default) to execute any Groovy code in the XWiki installation which compromises the confidentiality, integrity and availability of the whole XWiki installation.\n\nTo reproduce, as a user without script nor programming rights, create a document with title `{{/html}}{{async}}{{groovy}}println(\"Hello from Groovy Title!\"){{/groovy}}{{/async}}` and content `Test Document`. Using the search UI, search for `\"Test Document\"`, then deploy the `Location` facet on the right of the screen, next to the search results. The installation is vulnerable if you see an item such as:\n```\nHello from Groovy Title!\n\u003c/a\u003e\n\u003cdiv class=\"itemCount\"\u003e1\u003c/div\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n{{/html}}\n```\n\n### Patches\nThis has been patched in XWiki 14.10.20, 15.5.4 and 15.10 RC1.\n\n### Workarounds\nModify the `Main.SolrSpaceFacet` page following this [patch](https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb#diff-22dd1949ed9019a39f2550f5a953a1a967c30a374dc9eeddb74069bf229b17d5).\n\n### References\n* https://jira.xwiki.org/browse/XWIKI-21471\n* https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb\n* https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5\n",
  "id": "GHSA-xm4h-3jxr-m3c6",
  "modified": "2024-04-10T22:01:16Z",
  "published": "2024-04-10T17:13:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-xm4h-3jxr-m3c6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-31984"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/43c9d551e3c11e9d8f176b556dd33bbe31fc66e0"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/5ef9d294d37be92ee22b2549e38663b29dce8767"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/74e301c481e69eeea674dac7fed6af3614cf08c5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/94fc12db87c2431eb1335ecb9c2954b1905bde62"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/acba74c149a041345b24dcca52c586f872ba97fb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/xwiki/xwiki-platform/commit/ef55105d6eeec5635fd693f0070c5aaaf3bdd940"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/xwiki/xwiki-platform"
    },
    {
      "type": "WEB",
      "url": "https://jira.xwiki.org/browse/XWIKI-21471"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "XWiki Platform: Remote code execution through space title and Solr space facet"
}

GHSA-XMCG-3P5M-PG58

Vulnerability from github – Published: 2025-10-15 03:30 – Updated: 2025-10-15 03:30
VLAI
Details

The WordPress plugin is-human <= v1.4.2 contains an eval injection vulnerability in /is-human/engine.php that can be triggered via the 'type' parameter when the 'action' parameter is set to 'log-reset'. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-10033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-95"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-15T02:15:31Z",
    "severity": "CRITICAL"
  },
  "details": "The WordPress plugin\u00a0is-human \u003c= v1.4.2 contains\u00a0an eval injection vulnerability in /is-human/engine.php that can be triggered via the \u0027type\u0027 parameter when the \u0027action\u0027 parameter is set to \u0027log-reset\u0027. The root cause is unsafe use of eval() on user-controlled input, which can lead to execution of attacker-supplied PHP and OS commands. This may result in arbitrary code execution as the webserver user, site compromise, or data exfiltration. The is-human plugin was made defunct in June 2008 and is no longer available for download. This vulnerability was exploited in the wild in March 2012.",
  "id": "GHSA-xmcg-3p5m-pg58",
  "modified": "2025-10-15T03:30:40Z",
  "published": "2025-10-15T03:30:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-10033"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20120115212202/http://blog.spiderlabs.com/2012/01/honeypot-alert-is-human-wordpress-plugin-remote-command-execution-attack-detected.html"
    },
    {
      "type": "WEB",
      "url": "https://wordpress.org/plugins/is-human"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/17299"
    },
    {
      "type": "WEB",
      "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-alert-more-wordpress-is_human-plugin-remote-command-injection-attack-detected"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/wordpress-plugin-is-human-eval-injection-rce"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design Implementation

Strategy: Refactoring

If possible, refactor your code so that it does not need to use eval() at all.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Implementation
  • Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180, CWE-181). Make sure that your application does not inadvertently decode the same input twice (CWE-174). Such errors could be used to bypass allowlist schemes by introducing dangerous inputs after they have been checked. Use libraries such as the OWASP ESAPI Canonicalization control.
  • Consider performing repeated canonicalization until your input does not change any more. This will avoid double-decoding and similar scenarios, but it might inadvertently modify inputs that are allowed to contain properly-encoded dangerous content.
Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.