CVE-2023-36470 – CVE-2023-36470 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2023-36470?

CVE-2023-36470 has a CVSS score of 9.9 (CRITICAL). CVE-2023-36470 is a critical remote code execution vulnerability in XWiki Platform that allows attackers to inject and execute malicious code with programming rights through icon set manipulation. This affects all XWiki instances running vulnerable versions, enabling complete compromise of the wiki instance. Attackers can exploit this via the icon picker or by editing icon themes to execute arbitrary code.

📋 TL;DR

CVE-2023-36470 is a critical remote code execution vulnerability in XWiki Platform that allows attackers to inject and execute malicious code with programming rights through icon set manipulation. This affects all XWiki instances running vulnerable versions, enabling complete compromise of the wiki instance. Attackers can exploit this via the icon picker or by editing icon themes to execute arbitrary code.

💻 Affected Systems

Products:

XWiki Platform

Versions: All versions before 14.10.6 and 15.x before 15.1

Operating Systems: All platforms running XWiki

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all XWiki installations with vulnerable versions regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the XWiki instance allowing attackers to execute arbitrary code, access/modify all data, install backdoors, and potentially pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, privilege escalation, and installation of persistent backdoors or malware.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external exploitation, though internal threats remain.

🌐 Internet-Facing: HIGH - Directly exploitable via web interface without authentication in some attack vectors.

🏢 Internal Only: HIGH - Even internally, any user with edit permissions can potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple attack vectors exist including via icon picker and icon theme editing. The advisory provides technical details that could facilitate exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.10.6 or 15.1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fm68-j7ww-h9xf

Restart Required: Yes

Instructions:

1. Backup your XWiki instance. 2. Upgrade to XWiki 14.10.6 or 15.1. 3. Restart the XWiki service. 4. Verify the upgrade was successful.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Isolate the XWiki instance from the internet and restrict internal access to only necessary users
Implement strict monitoring and alerting for suspicious activity on the XWiki server

🔍 How to Verify

Check if Vulnerable:

Check XWiki version via Admin interface or by examining the installation directory. Versions before 14.10.6 or 15.1 are vulnerable.

Check Version:

Check XWiki admin dashboard or examine the XWiki installation files for version information.

Verify Fix Applied:

Verify the version is 14.10.6 or higher (14.x branch) or 15.1 or higher (15.x branch). Test icon functionality to ensure it works without errors.

📡 Detection & Monitoring

Log Indicators:

Unusual icon theme modifications
Velocity code execution in icon-related requests
Suspicious script macro injections

Network Indicators:

HTTP requests to icon picker endpoints with malicious payloads
Unusual outbound connections from XWiki server

SIEM Query:

Search for POST requests to */rest/wikis/*/icon* endpoints with suspicious content or Velocity code patterns

📊 Metadata

CVE ID: CVE-2023-36470

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-74

Published: June 29, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/xwiki/xwiki-platform/commit/46b542854978e9caa687a5c2b8817b8b17877d94 Patch
https://github.com/xwiki/xwiki-platform/commit/79418dd92ca11941b46987ef881bf50424898ff4 Patch
https://github.com/xwiki/xwiki-platform/commit/b0cdfd893912baaa053d106a92e39fa1858843c7 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fm68-j7ww-h9xf Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20524 Exploit,Issue Tracking,Patch,Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/46b542854978e9caa687a5c2b8817b8b17877d94 Patch
https://github.com/xwiki/xwiki-platform/commit/79418dd92ca11941b46987ef881bf50424898ff4 Patch
https://github.com/xwiki/xwiki-platform/commit/b0cdfd893912baaa053d106a92e39fa1858843c7 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fm68-j7ww-h9xf Exploit,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20524 Exploit,Issue Tracking,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36470, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Xwiki by Xwiki

Xwiki by Xwiki

Xwiki by Xwiki

Xwiki by Xwiki

Xwiki by Xwiki

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

No workarounds available

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities