PRP: Request XWiki user registration feature RCE (CVE-2024-21650)

[YuriyPobezhymov]

Hello.

I would like to start implementing a plugin to detect RCE attack through its user registration feature.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-21650 https://jira.xwiki.org/browse/XWIKI-21173

Description: XWiki is vulnerable to a remote code execution (RCE) attack through its user registration feature. This issue allows an attacker to execute arbitrary code by crafting malicious payloads in the "first name" or "last name" fields during user registration. This impacts all installations that have user registration enabled for guests.

Versions:

= 2.2, < 14.10.17 = 15.0-rc-1, < 15.5.3 = 15.6-rc-1, < 15.8-rc-1

Cleanup: I didn't found account deleting functionality for regular user, but I think I'm able to change "first name" programmatically to something random after registration to remove payload from there.

Thanks.

[tooryx]

Hi @YuriyPobezhymov,

Thanks for your request! This vulnerability is in scope for the reward program. Please submit our participation form and you can start working on the development.

Please keep in mind that the Tsunami Scanner Team will only be able to work at one issue at a time for each participant so please hold on the implementation work for any other requests you might have.

Thanks!

[YuriyPobezhymov]

I made PR for this issue. My decision for cleanup purpose is to make first name contain "Delete me!" text, so admin will able to see it in user list and able to delete him then.