CVE-2023-34465
📋 TL;DR
This vulnerability allows any logged-in user in XWiki Platform to modify mail configuration settings, including viewing and editing SMTP credentials. Attackers can exploit this to steal email credentials, send spam/phishing emails, or disrupt email services. Affects XWiki versions 11.8-rc-1 through 14.4.7, 14.10.5, and 15.0.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain SMTP credentials, send malicious emails from your domain, steal sensitive data via email interception, and potentially pivot to other systems using stolen credentials.
Likely Case
Unauthorized users modify mail settings, send spam/phishing emails from your organization's domain, and potentially exfiltrate email credentials.
If Mitigated
Limited to logged-in users only, with no access to SMTP credentials if proper access controls are implemented.
🎯 Exploit Status
Exploitation requires a valid user account but is trivial once authenticated. No public exploit code available but simple to craft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.4.8, 14.10.6, or 15.1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Upgrade to XWiki 14.4.8, 14.10.6, or 15.1. 3. Restart the XWiki service. 4. Verify the Mail.MailConfig page now has proper access controls.
🔧 Temporary Workarounds
Manual Access Control Update
allUpdate permissions on Mail.MailConfig page to restrict access to trusted users only
Navigate to Mail.MailConfig page in XWiki
Edit page rights to restrict to XWiki.XWikiAdminGroup or specific trusted users
🧯 If You Can't Patch
- Immediately restrict access to Mail.MailConfig page to only trusted administrators
- Disable or monitor all non-admin user accounts for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check XWiki version. If between 11.8-rc-1 and 14.4.7/14.10.5/15.0, and Mail.MailConfig page is accessible to non-admin users, you are vulnerable.Check Version:
Check XWiki version in administration panel or via xwiki.cfg configuration fileVerify Fix Applied:
After patching, verify that non-admin users cannot access or edit the Mail.MailConfig page.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Mail.MailConfig page
- Changes to mail configuration by non-admin users
- Unusual SMTP activity from XWiki server
Network Indicators:
- Unexpected outbound SMTP traffic from XWiki server
- Spam/phishing emails originating from your domain
SIEM Query:
source="xwiki" AND (event="page_edit" AND page="Mail.MailConfig" AND user!="admin") OR (event="mail_send" AND status="success" AND user!="admin")🔗 References
- https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1
- https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc
- https://jira.xwiki.org/browse/XWIKI-20519
- https://jira.xwiki.org/browse/XWIKI-20671
- https://github.com/xwiki/xwiki-platform/commit/8910b8857d3442d2e8142f655fdc0512930354d1
- https://github.com/xwiki/xwiki-platform/commit/d28d7739089e1ae8961257d9da7135d1a01cb7d4
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g75c-cjr6-39mc
- https://jira.xwiki.org/browse/XWIKI-20519
- https://jira.xwiki.org/browse/XWIKI-20671
