CVE-2023-40572
📋 TL;DR
CVE-2023-40572 is a Cross-Site Request Forgery (CSRF) vulnerability in XWiki Platform's create action that allows attackers to execute arbitrary scripts when targeting users with script/programming rights. This can lead to remote code execution, compromising the entire XWiki installation. All XWiki installations with users having script rights are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of XWiki installation through remote code execution, allowing attacker to access, modify, or delete all data, install backdoors, and take full control of the system.
Likely Case
Attacker creates malicious pages with scripts that execute with victim's privileges, potentially stealing sensitive data, modifying content, or performing unauthorized actions.
If Mitigated
With proper CSRF protections and access controls, impact is limited to unauthorized page creation without script execution.
🎯 Exploit Status
Exploitation requires tricking a user with script rights into visiting a malicious page. The vulnerability is straightforward to exploit once the target is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.9 or 15.4RC1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6m
Restart Required: Yes
Instructions:
1. Backup your XWiki installation. 2. Upgrade to XWiki 14.10.9 or 15.4RC1. 3. Restart the XWiki service/application server. 4. Verify the fix by checking that CSRF tokens are now required for page creation.
🔧 Temporary Workarounds
Restrict Script Rights
allTemporarily remove script/programming rights from all users except absolutely necessary administrators.
Navigate to XWiki Admin > Rights > Global Rights and remove 'script' right from non-essential users
Implement CSRF Protection Proxy
allDeploy a web application firewall or reverse proxy that adds CSRF protection headers.
🧯 If You Can't Patch
- Implement strict access controls to limit users with script rights to absolute minimum
- Monitor logs for 'ERROR foo - Script executed!' messages and investigate immediately
🔍 How to Verify
Check if Vulnerable:
Check if your XWiki version is below 14.10.9 or 15.4RC1. Also test by attempting to create a page without CSRF token while logged in as a user with script rights.Check Version:
Check XWiki version in Admin > About or via xwiki.cfg fileVerify Fix Applied:
After patching, verify that page creation requests now require a valid CSRF token and fail without it.📡 Detection & Monitoring
Log Indicators:
- ERROR foo - Script executed! messages in logs
- Unexpected page creation events
- Suspicious script execution patterns
Network Indicators:
- POST requests to create action without CSRF tokens
- Multiple page creation requests from same source
SIEM Query:
source="xwiki.log" AND "ERROR foo - Script executed!" OR "create action" AND NOT "csrf_token"🔗 References
- https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6m
- https://jira.xwiki.org/browse/XWIKI-20849
- https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6m
- https://jira.xwiki.org/browse/XWIKI-20849
