CVE-2023-37462 – This vulnerability in XWiki Platform allows att... (How to Fix)

Q: What is the severity of CVE-2023-37462?

CVE-2023-37462 has a CVSS score of 9.9 (CRITICAL). This vulnerability in XWiki Platform allows attackers with view rights on the SkinsCode.XWikiSkinsSheet document to escalate privileges to programming rights, enabling execution of arbitrary script macros including Groovy and Python. This leads to remote code execution with unrestricted read/write access to all wiki contents. All XWiki installations using vulnerable versions are affected.

📋 TL;DR

This vulnerability in XWiki Platform allows attackers with view rights on the SkinsCode.XWikiSkinsSheet document to escalate privileges to programming rights, enabling execution of arbitrary script macros including Groovy and Python. This leads to remote code execution with unrestricted read/write access to all wiki contents. All XWiki installations using vulnerable versions are affected.

💻 Affected Systems

Products:

XWiki Platform

Versions: All versions before 14.4.8, 14.10.4, and 15.0-rc-1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default SkinsCode.XWikiSkinsSheet document and requires only view rights to exploit.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the XWiki instance with full administrative control, data theft, data destruction, and potential lateral movement to connected systems.

🟠

Likely Case

Unauthorized access to sensitive wiki content, data exfiltration, and installation of backdoors or malicious scripts.

🟢

If Mitigated

Limited impact if proper network segmentation, strict access controls, and monitoring are in place, though RCE would still be possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires view rights on the vulnerable document. The advisory includes testing instructions indicating exploit details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.4.8, 14.10.4, or 15.0-rc-1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjg

Restart Required: Yes

Instructions:

1. Upgrade to XWiki 14.4.8, 14.10.4, or 15.0-rc-1. 2. Alternatively, manually apply commit d9c88ddc to the SkinsCode.XWikiSkinsSheet document. 3. Restart the XWiki service.

🔧 Temporary Workarounds

Manual patch application

all

Apply the fix commit directly to the vulnerable document without full upgrade

Apply changes from commit d9c88ddc4c0c78fa534bd33237e95dea66003d29 to SkinsCode.XWikiSkinsSheet

Restrict document access

all

Remove view rights from SkinsCode.XWikiSkinsSheet for all non-admin users

Edit document rights to restrict SkinsCode.XWikiSkinsSheet to administrators only

🧯 If You Can't Patch

Immediately restrict view access to SkinsCode.XWikiSkinsSheet document to administrators only
Implement network segmentation to isolate XWiki instance and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Follow testing instructions in GHSA advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjg

Check Version:

Check XWiki version in administration panel or via xwiki.cfg configuration file

Verify Fix Applied:

Check that SkinsCode.XWikiSkinsSheet document contains the fix from commit d9c88ddc and test the exploit vector

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to SkinsCode.XWikiSkinsSheet
Execution of Groovy/Python macros from non-admin users
Creation of suspicious pages with crafted names

Network Indicators:

Unexpected outbound connections from XWiki server
Unusual API calls to document editing functions

SIEM Query:

source="xwiki" AND (document="SkinsCode.XWikiSkinsSheet" OR macro="groovy" OR macro="python") AND user!="admin"

📊 Metadata

CVE ID: CVE-2023-37462

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-74

Published: July 14, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjg Exploit,Issue Tracking,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20457 Exploit,Issue Tracking,Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjg Exploit,Issue Tracking,Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20457 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37462, you might also want to check these: