CVE-2023-35162
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious JavaScript via specially crafted URLs. The vulnerability affects all XWiki installations from version 6.1-rc-1 through 14.10.4, potentially enabling session hijacking, credential theft, or malware distribution.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, data exfiltration, or malware deployment to all users visiting malicious links
Likely Case
Session hijacking, credential theft, or defacement of wiki pages
If Mitigated
Limited impact if proper Content Security Policy (CSP) headers are implemented and user awareness training is in place
🎯 Exploit Status
Exploit example provided in advisory shows simple URL construction requiring no authentication
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.5 or 15.1-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q9hg-9qj2-mxf9
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Upgrade to XWiki 14.10.5 or 15.1-rc-1. 3. Restart the XWiki service. 4. Verify the fix by checking version and testing exploit URL.
🔧 Temporary Workarounds
Disable previewactions template
allRemove or restrict access to the vulnerable previewactions.vm template
mv /path/to/xwiki/templates/previewactions.vm /path/to/xwiki/templates/previewactions.vm.disabled
Implement Content Security Policy
allAdd CSP headers to prevent JavaScript execution from untrusted sources
Add to web server config: add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block URLs containing 'javascript:' protocol in parameters
- Restrict access to XWiki instance to trusted users only using network segmentation and authentication
🔍 How to Verify
Check if Vulnerable:
Test with exploit URL: <hostname>/xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert('test')Check Version:
Check XWiki version in administration panel or via: grep -r "version" /path/to/xwiki/WEB-INF/xwiki.propertiesVerify Fix Applied:
After patching, the same exploit URL should not execute JavaScript📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'previewactions.vm' with 'javascript:' in parameters
- Unusual JavaScript execution in user sessions
Network Indicators:
- Outbound connections to suspicious domains following XWiki access
- Unusual traffic patterns from XWiki server
SIEM Query:
source="xwiki.log" AND "previewactions.vm" AND "javascript:"🔗 References
- https://github.com/xwiki/xwiki-platform/commit/9f01166b1a8ee9639666099eb5040302df067e4d
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q9hg-9qj2-mxf9
- https://jira.xwiki.org/browse/XWIKI-20342
- https://jira.xwiki.org/browse/XWIKI-20583
- https://github.com/xwiki/xwiki-platform/commit/9f01166b1a8ee9639666099eb5040302df067e4d
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-q9hg-9qj2-mxf9
- https://jira.xwiki.org/browse/XWIKI-20342
- https://jira.xwiki.org/browse/XWIKI-20583
