CVE-2023-37910 – This vulnerability in XWiki Platform allows att... (How to Fix)

Q: What is the severity of CVE-2023-37910?

CVE-2023-37910 has a CVSS score of 8.1 (HIGH). This vulnerability in XWiki Platform allows attackers with edit access to any document (including default-editable user profiles) to move any attachment from any other document to their controlled document. This enables unauthorized access to sensitive attachments regardless of permissions and deletes them from the original source. All XWiki instances running affected versions are vulnerable.

📋 TL;DR

This vulnerability in XWiki Platform allows attackers with edit access to any document (including default-editable user profiles) to move any attachment from any other document to their controlled document. This enables unauthorized access to sensitive attachments regardless of permissions and deletes them from the original source. All XWiki instances running affected versions are vulnerable.

💻 Affected Systems

Products:

XWiki Platform

Versions: 14.0-rc-1 through 14.4.7, 14.10.0 through 14.10.3, and all 15.0 pre-release versions before 15.0-rc-1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: User profiles are editable by default, making all installations vulnerable if they haven't modified default permissions.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all sensitive attachments across the wiki, including confidential documents, credentials, or proprietary data, followed by their deletion from legitimate locations.

🟠

Likely Case

Targeted theft of specific known attachments containing sensitive information, potentially leading to data breaches or intellectual property theft.

🟢

If Mitigated

Limited impact if strict access controls are already in place, but still allows unauthorized movement of attachments between documents where the attacker has some edit rights.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated user with edit rights on any document. Attack is straightforward once the attacker knows attachment names.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.4.8, 14.10.4, or 15.0-rc-1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rwwx-6572-mp29

Restart Required: Yes

Instructions:

1. Backup your XWiki instance. 2. Download and install XWiki 14.4.8, 14.10.4, or 15.0-rc-1 from xwiki.org. 3. Follow XWiki upgrade documentation for your specific deployment method. 4. Restart the application server.

🔧 Temporary Workarounds

No official workaround

all

The vendor states there is no workaround apart from upgrading to a fixed version.

🧯 If You Can't Patch

Restrict edit permissions on all documents, especially user profiles, to only trusted users
Implement monitoring for unusual attachment movement patterns and audit attachment access logs

🔍 How to Verify

Check if Vulnerable:

Check XWiki version via Admin interface or by examining the application files. If version is between 14.0-rc-1 and 14.4.7, or 14.10.0-14.10.3, or any 15.0 pre-release before 15.0-rc-1, you are vulnerable.

Check Version:

Check XWiki Admin dashboard or examine WEB-INF/xwiki.properties file for version information

Verify Fix Applied:

After upgrade, verify version shows 14.4.8, 14.10.4, or 15.0-rc-1 or higher in Admin interface.

📡 Detection & Monitoring

Log Indicators:

Unusual attachment move operations between documents
Attachment access from unexpected user accounts
Multiple failed attachment access attempts followed by successful moves

Network Indicators:

HTTP POST requests to attachment move endpoints from unauthorized users

SIEM Query:

source="xwiki.log" AND ("move attachment" OR "attachment moved") AND NOT user IN ["authorized_users_list"]

📊 Metadata

CVE ID: CVE-2023-37910

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-862

Published: October 25, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/xwiki/xwiki-platform/commit/d7720219d60d7201c696c3196c9d4a86d0881325 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rwwx-6572-mp29 Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20334 Exploit,Issue Tracking,Vendor Advisory
https://github.com/xwiki/xwiki-platform/commit/d7720219d60d7201c696c3196c9d4a86d0881325 Patch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rwwx-6572-mp29 Patch,Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20334 Exploit,Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37910, you might also want to check these: