CVE-2023-45134
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers with user accounts to inject malicious JavaScript into template providers. When victims create documents using these malicious templates, the attacker's code executes with the victim's privileges, potentially leading to account takeover, data theft, or remote code execution. All XWiki installations with vulnerable versions are affected.
💻 Affected Systems
- XWiki Platform
- XWiki Platform Web
- XWiki Platform Web Templates
- XWiki Web Standard
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to remote code execution, full read/write access to the entire XWiki installation, and complete system takeover.
Likely Case
Session hijacking, account takeover, data exfiltration, and privilege escalation for authenticated users.
If Mitigated
Limited impact if proper content security policies, input validation, and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires an attacker account but is straightforward once obtained. The attack vector involves creating malicious template providers and tricking users into using them.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: org.xwiki.platform:xwiki-platform-web: 13.4-rc-1+, org.xwiki.platform:xwiki-platform-web-templates: 14.10.2+ or 15.5-rc-1+, org.xwiki.platform:xwiki-web-standard: 3.1-milestone-1+
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gr82-8fj2-ggc3
Restart Required: Yes
Instructions:
1. Update to patched versions via package manager or manual WAR file replacement. 2. For manual patching, apply the escaping changes from commit ba56fda175156dd35035f2b8c86cbd8ef1f90c2e to createinline.vm. 3. Restart the XWiki application server.
🔧 Temporary Workarounds
Manual Template File Patching
allApply the escaping fix directly to the vulnerable createinline.vm file without full version upgrade
Download patch from https://github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2e
Apply changes to WEB-INF/templates/createinline.vm in XWiki WAR
Restrict Template Creation Permissions
allLimit who can create template providers to trusted administrators only
Modify XWiki rights settings to restrict 'edit' permission on template provider documents
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to block inline JavaScript execution
- Disable or restrict user profile editing capabilities for non-administrative users
🔍 How to Verify
Check if Vulnerable:
Check XWiki version against affected ranges. Examine createinline.vm for missing escaping in template provider rendering.Check Version:
Check XWiki administration panel or examine META-INF/maven/org.xwiki.platform/*/pom.properties filesVerify Fix Applied:
Verify version is patched or check that createinline.vm contains proper escaping (look for $escapetool.xml() calls around template provider content).📡 Detection & Monitoring
Log Indicators:
- Unusual template provider creation events
- Multiple document creation attempts with custom templates
- JavaScript execution errors in server logs
Network Indicators:
- Requests to document creation URLs with template parameters
- Suspicious redirects or iframe injections
SIEM Query:
source="xwiki.log" AND ("createinline.vm" OR "templateprovider" OR "document creation")🔗 References
- https://github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2e
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gr82-8fj2-ggc3
- https://jira.xwiki.org/browse/XWIKI-20962
- https://github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2e
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gr82-8fj2-ggc3
- https://jira.xwiki.org/browse/XWIKI-20962
