CVE-2023-34464
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in XWiki Platform allows users with document editing permissions to inject malicious HTML code. When another user, especially one with programming rights, views the document with specific templates and plain output syntax, the attacker can execute arbitrary actions with the victim's privileges, potentially compromising the entire XWiki installation.
💻 Affected Systems
- XWiki Platform
- org.xwiki.platform:xwiki-platform-web
- org.xwiki.platform:xwiki-platform-web-templates
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
An attacker with edit permissions could compromise a user with programming rights, leading to complete system takeover, data theft, and destruction of the XWiki installation.
Likely Case
Privilege escalation leading to unauthorized access, data manipulation, and potential installation of backdoors or malware.
If Mitigated
Limited to document-level manipulation if proper input validation and output encoding are enforced, with minimal impact on system integrity.
🎯 Exploit Status
Exploitation requires authenticated user with edit permissions and social engineering to lure privileged users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: XWiki 14.4.8, 14.10.5, 15.1RC1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp7h-f9f5-x4q7
Restart Required: Yes
Instructions:
1. Identify XWiki version. 2. Upgrade to patched version: 14.4.8, 14.10.5, or 15.1RC1. 3. Restart XWiki service. 4. Verify fix by checking version and testing XSS payloads.
🔧 Temporary Workarounds
Restrict document editing permissions
allLimit document editing to trusted users only and remove programming rights from unnecessary accounts.
Disable displaycontent and rendercontent templates
allBlock access to vulnerable templates if not required for functionality.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for user-generated content.
- Monitor and audit user activities, especially document edits and privilege escalations.
🔍 How to Verify
Check if Vulnerable:
Check XWiki version against affected ranges and test with XSS payloads in documents using displaycontent/rendercontent templates.Check Version:
Check XWiki administration panel or configuration files for version number.Verify Fix Applied:
Confirm version is 14.4.8, 14.10.5, or 15.1RC1+ and test that HTML injection no longer executes in plain output syntax.📡 Detection & Monitoring
Log Indicators:
- Unusual document edits, especially with HTML content
- Access to displaycontent or rendercontent templates with suspicious parameters
Network Indicators:
- HTTP requests to vulnerable templates with encoded payloads
SIEM Query:
source="xwiki.log" AND ("displaycontent" OR "rendercontent") AND ("<script>" OR "javascript:")🔗 References
- https://github.com/xwiki/xwiki-platform/commit/53e8292a31ec70fba5e1d705a4ac443658b9e6df
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp7h-f9f5-x4q7
- https://jira.xwiki.org/browse/XWIKI-20290
- https://github.com/xwiki/xwiki-platform/commit/53e8292a31ec70fba5e1d705a4ac443658b9e6df
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fp7h-f9f5-x4q7
- https://jira.xwiki.org/browse/XWIKI-20290
