CVE-2022-23622
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious scripts via the xredirect parameter in the registration template. It affects XWiki instances with open registration and restricted guest viewing rights. Successful exploitation could lead to session hijacking or credential theft.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator or user session cookies, perform actions as authenticated users, or redirect users to malicious sites.
Likely Case
Session hijacking of regular users, credential theft through phishing, or defacement of registration pages.
If Mitigated
No impact if proper input validation is implemented or vulnerable configuration is avoided.
🎯 Exploit Status
Exploitation requires specific configuration but is straightforward once conditions are met. No public exploit code found in references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.10.11, 13.4.7, 13.10.3, or 14.0-rc-1 and later
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx6h-936c-vrrr
Restart Required: Yes
Instructions:
1. Upgrade to patched version. 2. Restart XWiki service. 3. Verify patch applied by checking registerinline.vm template contains proper escaping: <input type="hidden" name="xredirect" value="$escapetool.xml($!request.xredirect)" />
🔧 Temporary Workarounds
Manual template patch
allApply the escaping fix directly to registerinline.vm template file
Edit registerinline.vm and replace xredirect line with: <input type="hidden" name="xredirect" value="$escapetool.xml($!request.xredirect)" />
🧯 If You Can't Patch
- Disable open registration for anyone
- Uncheck 'Prevent unregistered users from viewing pages' in administration rights and implement granular space/group permissions instead
🔍 How to Verify
Check if Vulnerable:
Check if XWiki version is vulnerable AND open registration is enabled AND guest viewing is restrictedCheck Version:
Check XWiki version in administration panel or via xwiki.cfg fileVerify Fix Applied:
Verify registerinline.vm contains proper escaping: grep -n 'xredirect' registerinline.vm | grep 'escapetool.xml'📡 Detection & Monitoring
Log Indicators:
- Unusual registration attempts with long or encoded xredirect parameters
- JavaScript execution errors in registration logs
Network Indicators:
- Malicious script payloads in registration POST requests to /xwiki/bin/registerinline
SIEM Query:
web_access_logs WHERE url_path CONTAINS '/registerinline' AND parameters CONTAINS 'xredirect=' AND (parameters CONTAINS '<script' OR parameters CONTAINS 'javascript:')🔗 References
- https://github.com/xwiki/xwiki-platform/commit/053d957d53f2a543d158f3ab651e390d2728e0b9
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx6h-936c-vrrr
- https://jira.xwiki.org/browse/XWIKI-19291
- https://github.com/xwiki/xwiki-platform/commit/053d957d53f2a543d158f3ab651e390d2728e0b9
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gx6h-936c-vrrr
- https://jira.xwiki.org/browse/XWIKI-19291
