Path traversal in xwiki-platform-skin-skinx
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions AbstractSxExportURLFactoryActionHandler#processSx does not escape anything from SSX document references when serializing it on filesystem, it is possible to for the HTML export process to contain reference elements containing filesystem syntax like "../", "./". or "/" in general. The referenced elements are not properly escaped. This issue has been resolved in version 13.6-rc-1. This issue can be worked around by limiting or disabling document export.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-skin-skinxMaven | >= 6.2-rc-1, < 13.6 | 13.6 |
Affected products
1- Range: >= 6.2-rc-1, < 13.6
Patches
1ab778254fb8fXWIKI-18819: It's possible to save pretty much anything anywhere by creating and using an SSX/JSX containing "../" in its reference
1 file changed · +7 −11
xwiki-platform-core/xwiki-platform-skin/xwiki-platform-skin-skinx/src/main/java/org/xwiki/skinx/internal/AbstractSxExportURLFactoryActionHandler.java+7 −11 modified@@ -100,13 +100,13 @@ public URL createURL(String spaces, String name, String queryString, String anch XWikiDocument.backupContext(backup, context); try { sxDocument.setAsContextDoc(context); - return processSx(spaceNames, name, queryString, context, exportContext); + return processSx(sxDocument.getId(), queryString, context, exportContext); } finally { XWikiDocument.restoreContext(backup, context); } } - private URL processSx(List<String> spaceNames, String name, String queryString, XWikiContext context, + private URL processSx(long id, String queryString, XWikiContext context, FilesystemExportContext exportContext) throws Exception { SxSource sxSource = null; @@ -128,7 +128,7 @@ private URL processSx(List<String> spaceNames, String name, String queryString, // Write the content to file // We need a unique name for that SSX content - String targetPath = String.format("%s/%s/%s", getSxPrefix(), StringUtils.join(spaceNames, '/'), name); + String targetPath = String.format("%s/%s", getSxPrefix(), id); File targetDirectory = new File(exportContext.getExportDir(), targetPath); if (!targetDirectory.exists()) { targetDirectory.mkdirs(); @@ -146,11 +146,7 @@ private URL processSx(List<String> spaceNames, String name, String queryString, path.append(getSxPrefix()); path.append(URL_PATH_SEPARATOR); - for (String spaceName : spaceNames) { - path.append(encodeURLPart(spaceName)); - path.append(URL_PATH_SEPARATOR); - } - path.append(encodeURLPart(name)); + path.append(id); path.append(URL_PATH_SEPARATOR); path.append(encodeURLPart(targetLocation.getName())); @@ -161,14 +157,14 @@ protected String getContent(SxSource sxSource, FilesystemExportContext exportCon { String content; - // We know we're inside a SX file located at "<S|J>sx/<Space>/<Page>/<s|j>sx<NNN>.<css|js>". Inside this CSS + // We know we're inside a SX file located at "<S|J>sx/<id>/<s|j>sx<NNN>.<css|js>". Inside this CSS // there can be URLs and we need to ensure that the prefix for these URLs lead to the root of the path, i.e. - // 3 levels up ("../../../"). + // 3 levels up ("../../"). // To make this happen we reuse the Doc Parent Level from FileSystemExportContext to a fixed value of 3. // We also make sure to put back the original value int originalDocParentLevel = exportContext.getDocParentLevel(); try { - exportContext.setDocParentLevels(3); + exportContext.setDocParentLevels(2); content = sxSource.getContent(); } finally { exportContext.setDocParentLevels(originalDocParentLevel);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-7ph6-5cmq-xgjqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23620ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/ab778254fb8f71c774e1c1239368c44fe3b6bba5ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-7ph6-5cmq-xgjqghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-18819ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.