Impact
Registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards.
The problem was already there in XWiki 7.2 until XWiki 11.10.3.
Patches
It has been patched and released in both version XWiki 11.10.3 and XWiki 12.0. You can upgrade XWiki to those versions and it will automatically contain the patch.
You can also try to manually retrieve the patched jar on Maven and replace your current one with it:
Finally, you can also cherry-pick the fix committed on dc0fa65#diff-1d01d375880acfb72b454faca73d23a8 for a specific version and build xwiki-platform-dashboard-macro manually.
Workarounds
It is strongly recommended to upgrade XWiki version.
The only workaround for this issue is to completely remove the Dashboard Macro feature from XWiki, by removing xwiki-platform-dashboard-macro.jar in datadir/webapps/xwiki/WEB-INF/lib.
You can then check that it has been correctly removed by going in the Administration > Extensions, and by looking for "Dashboard Macro" in "Core extensions".
References
https://jira.xwiki.org/browse/XWIKI-16960
For more information
If you have any questions or comments about this advisory:
Impact
Registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards.
The problem was already there in XWiki 7.2 until XWiki 11.10.3.
Patches
It has been patched and released in both version XWiki 11.10.3 and XWiki 12.0. You can upgrade XWiki to those versions and it will automatically contain the patch.
You can also try to manually retrieve the patched jar on Maven and replace your current one with it:
Finally, you can also cherry-pick the fix committed on dc0fa65#diff-1d01d375880acfb72b454faca73d23a8 for a specific version and build xwiki-platform-dashboard-macro manually.
Workarounds
It is strongly recommended to upgrade XWiki version.
The only workaround for this issue is to completely remove the Dashboard Macro feature from XWiki, by removing
xwiki-platform-dashboard-macro.jarindatadir/webapps/xwiki/WEB-INF/lib.You can then check that it has been correctly removed by going in the Administration > Extensions, and by looking for "Dashboard Macro" in "Core extensions".
References
https://jira.xwiki.org/browse/XWIKI-16960
For more information
If you have any questions or comments about this advisory: