CVE-2023-35153
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in XWiki Platform allows users with edit rights to inject malicious scripts into wiki pages. When other users visit the affected '/xwiki/bin/view/AppWithinMinutes/ClassEditSheet' page, the scripts execute in their browsers. This affects XWiki installations from version 5.4.4 up to (but not including) 14.4.8, 14.10.4, and 15.0.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers with edit rights could steal session cookies, perform actions as other users, redirect to malicious sites, or install malware on user systems.
Likely Case
Privilege escalation, session hijacking, or data theft from authenticated users visiting the vulnerable page.
If Mitigated
Limited impact if proper input validation and output encoding are implemented, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires edit rights but is straightforward once those permissions are obtained. The vulnerability is well-documented in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.4.8, 14.10.4, or 15.0
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4wc6-hqv9-qc97
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Upgrade to XWiki 14.4.8, 14.10.4, or 15.0. 3. Restart the XWiki service. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Manual patch of ClassEditSheet
allApply the security patch to the AppWithinMinutes.ClassEditSheet page as referenced in the advisory.
Apply the patch from: https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392
🧯 If You Can't Patch
- Restrict edit rights to trusted users only.
- Monitor access to '/xwiki/bin/view/AppWithinMinutes/ClassEditSheet' and audit user activities.
🔍 How to Verify
Check if Vulnerable:
Check if your XWiki version is between 5.4.4 and 14.4.7, or 14.10.3 and earlier, or any version before 15.0.Check Version:
Check the XWiki administration panel or view the page source for version information.Verify Fix Applied:
After patching, verify the version is 14.4.8, 14.10.4, or 15.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual edits to pages containing 'AppWithinMinutes.FormFieldCategoryClass'
- Multiple accesses to '/xwiki/bin/view/AppWithinMinutes/ClassEditSheet' from single users
Network Indicators:
- Unexpected outbound connections from XWiki server after page visits
SIEM Query:
source="xwiki" AND (uri="/xwiki/bin/view/AppWithinMinutes/ClassEditSheet" OR message="*AppWithinMinutes.FormFieldCategoryClass*")🔗 References
- https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4wc6-hqv9-qc97
- https://jira.xwiki.org/browse/XWIKI-20365
- https://github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4wc6-hqv9-qc97
- https://jira.xwiki.org/browse/XWIKI-20365
