CVE-2023-35156
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious JavaScript via specially crafted URLs. Attackers can exploit the delete template to execute arbitrary code in victims' browsers. All XWiki installations from version 6.0-rc-1 through 14.10.5 are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, session hijacking, credential theft, and remote code execution through browser exploitation chains.
Likely Case
Session hijacking, account compromise, data theft, and privilege escalation for authenticated users.
If Mitigated
Limited impact with proper content security policies, input validation, and user awareness training.
🎯 Exploit Status
Exploit example provided in advisory; simple URL manipulation required
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.6 or 15.1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-834c-x29c-f42c
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Upgrade to XWiki 14.10.6 or 15.1+. 3. Restart the XWiki service. 4. Verify the fix by checking version and testing exploit URL.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject URLs containing javascript: protocol in xredirect parameter
Configure web application firewall to block requests with 'javascript:' in URL parameters
Implement custom filter in XWiki to sanitize xredirect parameter
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
🧯 If You Can't Patch
- Implement web application firewall rules to block malicious URL patterns
- Disable or restrict access to vulnerable templates and endpoints
🔍 How to Verify
Check if Vulnerable:
Test with crafted URL: xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert('test')Check Version:
Check XWiki administration panel or view page source for version informationVerify Fix Applied:
After patching, same test URL should not execute JavaScript; check version is 14.10.6+ or 15.1+📡 Detection & Monitoring
Log Indicators:
- URLs containing 'javascript:' in parameters
- Access to delete.vm template with suspicious redirects
- Unusual user agent patterns
Network Indicators:
- HTTP requests with javascript: protocol in query parameters
- Abnormal redirect patterns
SIEM Query:
web.url:*javascript:* AND (web.url:*delete.vm* OR web.url:*xredirect*)🔗 References
- https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d2dffac9ee1
- https://github.com/xwiki/xwiki-platform/commit/24ec12890ac7fa6daec8d0b3435cfcba11362fd5
- https://github.com/xwiki/xwiki-platform/commit/e80d22d193df364b07bab7925572720f91a8984a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-834c-x29c-f42c
- https://jira.xwiki.org/browse/XWIKI-20341
- https://jira.xwiki.org/browse/XWIKI-20583
- https://jira.xwiki.org/browse/XWIKI-20672
- https://github.com/xwiki/xwiki-platform/commit/13875a6437d4525ac4aeea25918f2d2dffac9ee1
- https://github.com/xwiki/xwiki-platform/commit/24ec12890ac7fa6daec8d0b3435cfcba11362fd5
- https://github.com/xwiki/xwiki-platform/commit/e80d22d193df364b07bab7925572720f91a8984a
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-834c-x29c-f42c
- https://jira.xwiki.org/browse/XWIKI-20341
- https://jira.xwiki.org/browse/XWIKI-20583
- https://jira.xwiki.org/browse/XWIKI-20672
