CVE-2023-35152
📋 TL;DR
This vulnerability allows any logged-in XWiki user to inject malicious code into their first name field, which executes with programming rights. This leads to privilege escalation, potentially granting administrative access. Affects XWiki Platform versions 12.9-rc-1 through 14.4.7, 14.10.5, and 15.0.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control over the XWiki instance, allowing data theft, system compromise, and lateral movement.
Likely Case
Privileged user escalates to administrator, modifies configurations, accesses sensitive data, or deploys backdoors.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated account compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via user profile editing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.4.8, 14.10.6, or 15.1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Upgrade to XWiki 14.4.8, 14.10.6, or 15.1. 3. Restart the application server.
🔧 Temporary Workarounds
Manual patch application
allApply the security patch from the GitHub commit to fix the vulnerability without full upgrade.
Apply changes from commit 0993a7ab3c102f9ac37ffe361a83a3dc302c0e45 to your XWiki installation.
🧯 If You Can't Patch
- Restrict user profile editing permissions to administrators only.
- Implement strict input validation and output encoding for user fields.
🔍 How to Verify
Check if Vulnerable:
Check XWiki version via Admin > About. If version is between 12.9-rc-1 and 14.4.7, 14.10.5, or 15.0, it's vulnerable.Check Version:
Check Admin > About in XWiki web interface or inspect xwiki.properties file.Verify Fix Applied:
After patching, verify version is 14.4.8, 14.10.6, or 15.1. Test by attempting to inject code in first name field.📡 Detection & Monitoring
Log Indicators:
- Unusual user profile modifications, especially first name field changes containing script tags or code snippets.
- Unexpected privilege escalation events in audit logs.
Network Indicators:
- Suspicious POST requests to user profile update endpoints with encoded payloads.
SIEM Query:
Search for events where user.firstName field contains executable code patterns (e.g., <script>, ${...}).🔗 References
- https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39
- https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm
- https://jira.xwiki.org/browse/XWIKI-19900
- https://jira.xwiki.org/browse/XWIKI-20611
- https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39
- https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm
- https://jira.xwiki.org/browse/XWIKI-19900
- https://jira.xwiki.org/browse/XWIKI-20611
