CVE-2023-36477
📋 TL;DR
This vulnerability allows any user with edit rights in XWiki Platform to edit all pages in the CKEditor space, enabling harmful actions like deleting technical documents (causing service disruption) and modifying CKEditor's JavaScript configuration (leading to persistent cross-site scripting). It affects XWiki Platform installations with CKEditor integration where users have edit permissions.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
An attacker with edit rights could delete critical technical documentation causing service outages, and inject malicious JavaScript leading to persistent XSS affecting all users who view affected pages, potentially compromising user sessions and data.
Likely Case
Malicious users with edit rights could inject persistent XSS payloads into CKEditor configuration pages, leading to session hijacking, credential theft, or defacement of wiki content.
If Mitigated
With proper access controls restricting edit rights to trusted administrators only, the attack surface is significantly reduced, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires authenticated users with edit rights. The vulnerability is straightforward to exploit once an attacker has edit permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: XWiki 14.10.6, XWiki 15.1, CKEditor Integration extension 1.64.9 for older versions
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-793w-g325-hrw2
Restart Required: Yes
Instructions:
1. Upgrade XWiki Platform to version 14.10.6 or 15.1. 2. For XWiki versions older than 14.6RC1, upgrade CKEditor Integration extension to 1.64.9. 3. Restart the XWiki application server.
🔧 Temporary Workarounds
Restrict Edit Rights
allManually restrict edit and delete rights for the CKEditor space to only trusted users or groups like XWiki.XWikiAdminGroup
Navigate to XWiki rights administration page and modify permissions for CKEditor space
🧯 If You Can't Patch
- Immediately restrict edit and delete rights for the CKEditor space to only trusted administrators
- Monitor logs for suspicious edit activity in the CKEditor space and implement additional access controls
🔍 How to Verify
Check if Vulnerable:
Check if your XWiki version is below 14.10.6 or 15.1, or if using CKEditor Integration extension below 1.64.9 for versions older than 14.6RC1Check Version:
Check XWiki administration panel or view xwiki.cfg configuration fileVerify Fix Applied:
Verify XWiki version is 14.10.6+ or 15.1+, or CKEditor Integration extension is 1.64.9+ for older versions📡 Detection & Monitoring
Log Indicators:
- Unusual edit activity in CKEditor space pages
- Multiple page deletions in CKEditor space
- JavaScript modifications to CKEditor configuration files
Network Indicators:
- Unusual POST requests to CKEditor space edit endpoints
SIEM Query:
source="xwiki.log" AND ("CKEditor" AND ("edit" OR "delete" OR "save")) FROM users NOT IN admin_group🔗 References
- https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-793w-g325-hrw2
- https://jira.xwiki.org/browse/CKEDITOR-508
- https://jira.xwiki.org/browse/XWIKI-20590
- https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-793w-g325-hrw2
- https://jira.xwiki.org/browse/CKEDITOR-508
- https://jira.xwiki.org/browse/XWIKI-20590
