CVE-2023-35150
📋 TL;DR
This vulnerability allows any user with view rights on any document in XWiki Platform to execute arbitrary code with programming rights, leading to remote code execution. Attackers can exploit this by crafting a URL with a malicious payload. All XWiki instances running affected versions are vulnerable.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the XWiki server, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Attackers gain remote code execution capabilities, allowing them to install backdoors, exfiltrate sensitive data, or use the server for further attacks.
If Mitigated
If proper network segmentation and least privilege access are implemented, impact may be limited to the XWiki application server only.
🎯 Exploit Status
Exploitation requires view rights on any document, which is typically granted to many users. The advisory includes technical details that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.0, 14.10.4, or 14.4.8
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to XWiki 15.0, 14.10.4, or 14.4.8. 3. Restart the XWiki application server. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Restrict Document View Permissions
allTemporarily restrict view permissions on all documents to only trusted administrators until patching can be completed.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate XWiki from critical systems
- Deploy a web application firewall (WAF) with rules to block suspicious URL patterns
🔍 How to Verify
Check if Vulnerable:
Check XWiki version via Admin interface or by examining the application files. If version is between 2.40m-2 and below 14.4.8, 14.10.4, or 15.0, it's vulnerable.Check Version:
Check XWiki Admin dashboard or examine WEB-INF/xwiki.properties file for version information.Verify Fix Applied:
After upgrade, verify version is 14.4.8, 14.10.4, or 15.0 or higher. Test that users with only view rights cannot execute arbitrary code.📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns with encoded payloads in access logs
- Unexpected process execution from XWiki context
- Authentication logs showing view-only users performing privileged actions
Network Indicators:
- Outbound connections from XWiki server to unexpected destinations
- Unusual traffic patterns from XWiki application
SIEM Query:
source="xwiki_access.log" AND (url="*%24services*" OR url="*%24xcontext*" OR url="*eval*" OR url="*exec*" OR url="*Runtime*" OR url="*ProcessBuilder*")🔗 References
- https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w
- https://jira.xwiki.org/browse/XWIKI-20285
- https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w
- https://jira.xwiki.org/browse/XWIKI-20285
