CVE-2023-29207
📋 TL;DR
This cross-site scripting (XSS) vulnerability in XWiki allows attackers to inject malicious JavaScript via column names in Livetable and Documents macros. Users without script rights can exploit this in comments, potentially leading to privilege escalation when combined with higher-privileged user interaction. All XWiki instances running vulnerable versions are affected.
💻 Affected Systems
- XWiki Commons
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Privilege escalation to admin rights leading to remote code execution, complete wiki compromise, data exfiltration, and content destruction.
Likely Case
Session hijacking, credential theft, content manipulation, and limited privilege escalation through social engineering of authenticated users.
If Mitigated
Limited to content defacement or minor data exposure if proper input validation and output encoding are enforced elsewhere.
🎯 Exploit Status
Exploit syntax provided in advisory. Requires user interaction but no script rights. Comments functionality provides attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.9, 14.4.6, or 13.10.10
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6vgh-9r3c-2cxp
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to patched version (14.9, 14.4.6, or 13.10.10). 3. Restart XWiki application server. 4. Verify fix by testing exploit syntax.
🔧 Temporary Workarounds
Disable Documents Macro
allRemove or restrict access to vulnerable Documents Macro functionality
Edit XWiki configuration to disable documents macro or restrict its usage
Input Validation Filter
allImplement web application firewall or input validation to block script tags in column parameters
Configure WAF rules to block requests containing <script> tags in column parameters
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to mitigate XSS impact
- Disable comments functionality and restrict macro usage to trusted users only
🔍 How to Verify
Check if Vulnerable:
Test with exploit syntax: {{documents id="test" count="5" actions="false" columns="doc.title, before<script>alert(1)</script>after"/}} in a comment or pageCheck Version:
Check XWiki version in administration panel or via xwiki.cfg fileVerify Fix Applied:
After patching, same exploit syntax should not execute JavaScript and should display sanitized output📡 Detection & Monitoring
Log Indicators:
- Unusual column parameter values containing script tags
- Multiple failed macro executions with malformed parameters
Network Indicators:
- HTTP requests with <script> tags in column parameters
- Unusual macro usage patterns from single IPs
SIEM Query:
search 'column="*<script>*"' in web server logs OR 'documents macro' with script patterns🔗 References
- https://github.com/xwiki/xwiki-platform/commit/65ca06c51e7a1d5a579344c7272b2cc9a9a21126
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6vgh-9r3c-2cxp
- https://jira.xwiki.org/browse/XWIKI-15205
- https://github.com/xwiki/xwiki-platform/commit/65ca06c51e7a1d5a579344c7272b2cc9a9a21126
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6vgh-9r3c-2cxp
- https://jira.xwiki.org/browse/XWIKI-15205
