CVE-2023-37277 – This CVE describes a Cross-Site Request Forgery... (How to Fix)

Q: What is the severity of CVE-2023-37277?

CVE-2023-37277 has a CVSS score of 9.6 (CRITICAL). This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in XWiki Platform's REST API that allows attackers to execute arbitrary code when combined with a user having programming rights. The vulnerability affects XWiki installations with default configurations, particularly those using browsers without SameSite cookie restrictions enabled. Successful exploitation can lead to complete compromise of the XWiki instance.

📋 TL;DR

This CVE describes a Cross-Site Request Forgery (CSRF) vulnerability in XWiki Platform's REST API that allows attackers to execute arbitrary code when combined with a user having programming rights. The vulnerability affects XWiki installations with default configurations, particularly those using browsers without SameSite cookie restrictions enabled. Successful exploitation can lead to complete compromise of the XWiki instance.

💻 Affected Systems

Products:

XWiki Platform

Versions: All versions before 14.10.8 and 15.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires a user with programming rights to be targeted. Firefox and Safari did not have SameSite cookie restrictions enabled by default as of March 2023.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to full system compromise, data theft, service disruption, and potential lateral movement within the network.

🟠

Likely Case

Unauthorized script execution through CSRF attacks, potentially leading to data manipulation, privilege escalation, or service disruption.

🟢

If Mitigated

Limited impact with proper CSRF protections and SameSite cookie restrictions enabled in browsers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick a user with programming rights into visiting a malicious page. The technical exploit itself is straightforward once the user is targeted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: XWiki 14.10.8 and 15.2

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6

Restart Required: Yes

Instructions:

1. Backup your XWiki installation. 2. Upgrade to XWiki 14.10.8 or 15.2. 3. Restart the XWiki service. 4. Verify the patch is applied by checking the version.

🔧 Temporary Workarounds

Enable SameSite Cookie Restrictions

all

Configure browsers to enforce SameSite cookie restrictions to mitigate CSRF attacks.

Browser-specific configuration required

Restrict Programming Rights

all

Limit users with programming rights to minimize attack surface.

XWiki administration panel configuration

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious REST API requests
Isolate XWiki instance from internet access and restrict internal access

🔍 How to Verify

Check if Vulnerable:

Check XWiki version. If below 14.10.8 or 15.2, the system is vulnerable.

Check Version:

Check XWiki administration panel or view xwiki.properties file

Verify Fix Applied:

Verify XWiki version is 14.10.8 or 15.2 or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual REST API POST requests, unexpected script macro executions, unauthorized administrative actions

Network Indicators:

CSRF token missing in REST API requests, suspicious cross-origin requests to XWiki endpoints

SIEM Query:

source="xwiki" AND (http_method="POST" AND uri="/rest/*" AND NOT csrf_token=*)

📊 Metadata

CVE ID: CVE-2023-37277

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-352

Published: July 10, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6 Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20135 Issue Tracking,Patch,Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6 Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20135 Issue Tracking,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37277, you might also want to check these: