CVE-2023-35158
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious JavaScript via specially crafted URLs. The vulnerability affects the restore template functionality and can be exploited by any user who can access the vulnerable XWiki instance. This impacts all XWiki installations running affected versions.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of user sessions, account takeover, data theft, and potential server-side compromise if combined with other vulnerabilities.
Likely Case
Session hijacking, credential theft, defacement, and client-side data exfiltration from users who visit malicious links.
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and user input validation is enforced.
🎯 Exploit Status
Exploit details and example URLs are publicly available in the advisory. The vulnerability requires user interaction (clicking a malicious link).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: XWiki 14.10.5 and 15.1-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mwxj-g7fw-7hc8
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Upgrade to XWiki 14.10.5 or 15.1-rc-1. 3. Restart the XWiki application server. 4. Verify the fix by checking the version.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject URLs containing javascript: protocol in xredirect parameter
Configure web application firewall rules to block requests with javascript: in URL parameters
Content Security Policy
allImplement strict CSP headers to prevent script execution from untrusted sources
Add 'Content-Security-Policy: script-src 'self'' to HTTP headers
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to block inline scripts
- Deploy WAF rules to block requests containing javascript: protocol in parameters
🔍 How to Verify
Check if Vulnerable:
Check if your XWiki version is between 9.4-rc-1 and 14.10.4, or exactly 15.0.0. Test with a safe payload: /xwiki/bin/view/XWiki/Main?xpage=restore&showBatch=true&xredirect=javascript:console.log('test')Check Version:
Check XWiki administration panel or view /xwiki/bin/view/Main/WebHome page footer for version informationVerify Fix Applied:
After patching, attempt the exploit URL and verify JavaScript is not executed. Check that xredirect parameter properly validates URLs.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'xpage=restore' with 'xredirect=javascript:' in URL parameters
- Unusual JavaScript execution errors in browser console logs
Network Indicators:
- HTTP GET requests with javascript: protocol in query parameters
- Outbound connections to suspicious domains following XWiki access
SIEM Query:
http.url:*xpage=restore* AND http.url:*xredirect=javascript:*🔗 References
- https://github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mwxj-g7fw-7hc8
- https://jira.xwiki.org/browse/XWIKI-20352
- https://jira.xwiki.org/browse/XWIKI-20583
- https://github.com/xwiki/xwiki-platform/commit/d5472100606c8355ed44ada273e91df91f682738
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-mwxj-g7fw-7hc8
- https://jira.xwiki.org/browse/XWIKI-20352
- https://jira.xwiki.org/browse/XWIKI-20583
