CVE-2023-36471
📋 TL;DR
XWiki Commons HTML sanitizer vulnerability allows attackers without script rights to create phishing forms or embed malicious inputs that could lead to remote code execution when submitted by administrators. This affects XWiki installations from version 14.6RC1 to before 14.10.6 and 15.2RC1. The vulnerability enables privilege escalation from low-privileged users to potentially full system compromise.
💻 Affected Systems
- XWiki Commons
- XWiki Platform
📦 What is this software?
Commons by Xwiki
Commons by Xwiki
Commons by Xwiki
Commons by Xwiki
Commons by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.
Likely Case
Phishing attacks against users or privilege escalation allowing attackers to execute arbitrary code with admin privileges.
If Mitigated
Limited to phishing attempts if proper input validation and user awareness are in place, but RCE risk remains if admins interact with malicious content.
🎯 Exploit Status
Exploit requires attacker to have edit rights (but not script rights) and needs admin interaction with crafted content. Public advisory includes exploit details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.6 or 15.2RC1
Vendor Advisory: https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v
Restart Required: Yes
Instructions:
1. Backup your XWiki instance. 2. Download and install XWiki 14.10.6 or 15.2RC1 from official sources. 3. Follow XWiki upgrade documentation. 4. Restart the application server. 5. Verify the fix by checking version and testing sanitizer functionality.
🔧 Temporary Workarounds
Manual configuration workaround
allAdd form-related tags to the forbidden tags list in xwiki.properties configuration
Edit xwiki.properties and add: xml.htmlElementSanitizer.forbidTags = form, input, select, textarea, button
🧯 If You Can't Patch
- Implement the manual configuration workaround immediately
- Restrict edit permissions to trusted users only and monitor for suspicious form/input tag usage
🔍 How to Verify
Check if Vulnerable:
Check XWiki version: if between 14.6RC1-14.10.5 or 15.0.0-15.1.0, you are vulnerable. Also check if form/input tags are allowed in HTML sanitizer.Check Version:
Check XWiki administration panel or view xwiki.cfg/xwiki.properties for version informationVerify Fix Applied:
After upgrade to 14.10.6+ or 15.2RC1+, verify version and test that form/input tags are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual form submissions from non-admin users
- HTML content containing form/input tags in user edits
- Groovy code execution in unexpected contexts
Network Indicators:
- Unusual POST requests to edit endpoints
- Requests containing crafted HTML with form elements
SIEM Query:
Search for: 'form' OR 'input' OR 'textarea' in user-generated content logs AND (version contains '14.6' to '14.10.5' OR '15.0' to '15.1')🔗 References
- https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v
- https://jira.xwiki.org/browse/XCOMMONS-2634
- https://github.com/xwiki/xwiki-commons/commit/99484d48e899a68a1b6e33d457825b776c6fe8c3
- https://github.com/xwiki/xwiki-commons/security/advisories/GHSA-6pqf-c99p-758v
- https://jira.xwiki.org/browse/XCOMMONS-2634
