CVE-2023-29508
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in XWiki Commons allows users without script rights to inject malicious scripts via the Live Data macro, which execute when viewed by other users. The vulnerability is exploitable when the last author of the page content has script rights. All XWiki installations using vulnerable versions are affected.
💻 Affected Systems
- XWiki Commons
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, deface content, or redirect users to malicious sites, potentially leading to complete account compromise and data theft.
Likely Case
Attackers inject malicious scripts that steal user sessions or credentials when victims view compromised pages, leading to unauthorized access and potential privilege escalation.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized, preventing execution and limiting impact to data integrity issues only.
🎯 Exploit Status
Requires user account without script rights but exploitation is straightforward once access is obtained
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: XWiki 14.10, 14.4.7, or 13.10.11
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Download patched version from xwiki.org. 3. Stop XWiki service. 4. Replace with patched version. 5. Restart XWiki service. 6. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable Live Data macro
allRemove or restrict access to the Live Data macro to prevent exploitation
Edit XWiki configuration to disable com.xpn.xwiki.plugin.livedata.LiveDataMacro
Restrict script rights
allLimit users with script rights to minimize attack surface
Review and reduce users with 'script' privilege in XWiki administration
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Enable XSS filters in web application firewall and monitor for Live Data macro abuse
🔍 How to Verify
Check if Vulnerable:
Check XWiki version in administration panel or via xwiki.cfg file. If version is below 14.10, 14.4.7, or 13.10.11, system is vulnerable.Check Version:
Check /xwiki/bin/view/Admin/ or examine WEB-INF/xwiki.cfg for version informationVerify Fix Applied:
After patching, verify version shows 14.10+, 14.4.7+, or 13.10.11+ in administration panel and test Live Data macro functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual Live Data macro usage patterns
- Multiple failed script execution attempts
- User accounts without script rights modifying Live Data content
Network Indicators:
- Unexpected script tags in Live Data responses
- Suspicious outbound connections from XWiki pages
SIEM Query:
source="xwiki.log" AND ("LiveData" OR "script injection")🔗 References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
- https://jira.xwiki.org/browse/XWIKI-20312
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
- https://jira.xwiki.org/browse/XWIKI-20312
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hmm7-6ph9-8jf2
- https://jira.xwiki.org/browse/XWIKI-20312
