CVE-2023-26480
📋 TL;DR
This CVE allows users without script rights to perform stored cross-site scripting (XSS) attacks via the Live Data macro in XWiki Platform. Attackers can inject malicious scripts that execute when other users view affected pages. All XWiki installations running vulnerable versions are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface content, or redirect users to malicious sites, potentially leading to account compromise and data theft.
Likely Case
Attackers with user accounts can inject malicious scripts that execute when other users view pages containing the Live Data macro, potentially stealing session data or performing unauthorized actions.
If Mitigated
With proper input validation and output encoding, the impact is limited to content manipulation within the user's own privilege scope.
🎯 Exploit Status
Exploitation requires a user account but no special script rights. The vulnerability is in the Live Data macro's handling of user input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.9, 14.4.7, or 13.10.10
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
Restart Required: Yes
Instructions:
1. Backup your XWiki installation and database. 2. Download the patched version (14.9, 14.4.7, or 13.10.10). 3. Follow XWiki's upgrade documentation for your specific version. 4. Restart the application server. 5. Verify the fix by checking the version.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Restrict access to the Live Data macro for users without script rights through permission settings
- Implement web application firewall (WAF) rules to detect and block XSS payloads in Live Data macro parameters
🔍 How to Verify
Check if Vulnerable:
Check your XWiki version. If it's between 12.10-14.8, 14.4.0-14.4.6, or 13.10.0-13.10.9, you are vulnerable.Check Version:
Check the XWiki administration panel or view the page source for version information in the footer.Verify Fix Applied:
After patching, verify the version is 14.9, 14.4.7, 13.10.10 or higher, and test that the Live Data macro properly sanitizes user input.📡 Detection & Monitoring
Log Indicators:
- Unusual Live Data macro usage patterns
- Multiple failed script execution attempts in logs
Network Indicators:
- Unexpected script tags in Live Data macro requests/responses
SIEM Query:
Search for patterns like '<script>' or 'javascript:' in Live Data macro parameters in web server logs🔗 References
- https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79
- https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
- https://jira.xwiki.org/browse/XWIKI-20143
- https://github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79
- https://github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g
- https://jira.xwiki.org/browse/XWIKI-20143
