CVE-2023-35160
📋 TL;DR
This vulnerability allows attackers to inject malicious JavaScript into XWiki pages by crafting URLs with payloads in the resubmit template parameters. It enables cross-site scripting (XSS) attacks that can steal session cookies, redirect users, or perform actions on their behalf. All XWiki installations from version 2.5-milestone-2 through 14.10.4 and 15.0 are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Attackers can steal administrator session cookies, take over administrative accounts, install backdoors, exfiltrate all wiki data, or use the compromised server as a pivot point for further attacks.
Likely Case
Attackers steal user session cookies to hijack accounts, deface wiki pages, or redirect users to malicious sites for credential harvesting.
If Mitigated
If proper input validation and output encoding are implemented, the XSS payloads would be neutralized before execution.
🎯 Exploit Status
The advisory includes specific exploit examples in URLs, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.5 and 15.1-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r8xc-xxh3-q5x3
Restart Required: Yes
Instructions:
1. Backup your XWiki installation and database. 2. Upgrade to XWiki 14.10.5 or 15.1-rc-1. 3. Restart the XWiki application server. 4. Verify the fix by checking the version and testing the vulnerable endpoints.
🔧 Temporary Workarounds
Input Validation Filter
allImplement a web application firewall or reverse proxy rule to block URLs containing 'javascript:' in the resubmit and xback parameters.
# Example nginx rule: location ~* "/xwiki/bin/view/" { if ($args ~* "(resubmit|xback)=javascript:") { return 403; } }
Disable Resubmit Template
allRemove or restrict access to the resubmit template if not required for your use case.
# Modify xwiki.cfg: xwiki.template.resubmit.enabled=false
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution.
- Deploy a web application firewall (WAF) with XSS protection rules enabled.
🔍 How to Verify
Check if Vulnerable:
Test by accessing a URL like: /xwiki/bin/view/XWiki/Main?xpage=resubmit&resubmit=javascript:alert('test')&xback=javascript:alert('test'). If JavaScript executes, the system is vulnerable.Check Version:
Check the XWiki version in the administration panel or via: grep -r "xwiki.version" /path/to/xwiki/WEB-INF/Verify Fix Applied:
After patching, test the same URL. JavaScript should not execute, and parameters should be properly sanitized.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'xpage=resubmit' with 'javascript:' in parameters
- Unusual JavaScript execution in resubmit context
Network Indicators:
- HTTP requests to /xwiki/bin/view/* with resubmit and xback parameters containing JavaScript payloads
SIEM Query:
source="web_logs" AND uri_path="/xwiki/bin/view/*" AND (query_string="*resubmit=javascript:*" OR query_string="*xback=javascript:*")🔗 References
- https://github.com/xwiki/xwiki-platform/commit/dbc92dcdace33823ffd1e1591617006cb5fc6a7f
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r8xc-xxh3-q5x3
- https://jira.xwiki.org/browse/XWIKI-20343
- https://jira.xwiki.org/browse/XWIKI-20583
- https://github.com/xwiki/xwiki-platform/commit/dbc92dcdace33823ffd1e1591617006cb5fc6a7f
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r8xc-xxh3-q5x3
- https://jira.xwiki.org/browse/XWIKI-20343
- https://jira.xwiki.org/browse/XWIKI-20583
