CVE-2023-45136
📋 TL;DR
This vulnerability allows reflected cross-site scripting (XSS) in XWiki's page creation form when document name validation is enabled. An attacker can craft malicious links that execute arbitrary actions with the victim's privileges, potentially leading to remote code execution and full access to the XWiki installation. Affected systems are XWiki versions 12.0-rc-1 through 12.10.11 and 13.0 through 15.5-rc-1 with document name validation enabled.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of XWiki installation including remote code execution, complete data access/modification, and privilege escalation to administrative control.
Likely Case
Session hijacking, data theft, or unauthorized actions performed with the victim's permissions, potentially leading to privilege escalation.
If Mitigated
Limited impact if document name validation is disabled (default) or proper input validation/escaping is implemented.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) and document name validation enabled. The vulnerability is well-documented with public advisory and patch details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 14.10.12 and 15.5-rc-1
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj9-gcpg-4w2w
Restart Required: Yes
Instructions:
1. Upgrade to XWiki 14.10.12 or 15.5-rc-1. 2. Alternatively, manually patch createinline.vm template with changes from commit ba56fda175156dd35035f2b8c86cbd8ef1f90c2e. 3. Restart XWiki service.
🔧 Temporary Workarounds
Disable document name validation
allDisable the vulnerable feature that enables this attack vector
Edit xwiki.cfg or xwiki.properties to set xwiki.store.name.validation.enabled=false
Apply manual patch to template
allManually apply the escaping fix to the vulnerable template file
Apply changes from https://github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2e to WEB-INF/templates/createinline.vm
🧯 If You Can't Patch
- Disable document name validation feature immediately
- Implement WAF rules to block XSS payloads in page creation requests
🔍 How to Verify
Check if Vulnerable:
Check if running affected version range and document name validation is enabled in configurationCheck Version:
Check XWiki administration panel or view xwiki.version system propertyVerify Fix Applied:
Verify version is 14.10.12+ or 15.5-rc-1+, or check that createinline.vm contains proper escaping for document names📡 Detection & Monitoring
Log Indicators:
- Unusual page creation requests with script tags or JavaScript in document names
- Multiple failed page creation attempts with suspicious parameters
Network Indicators:
- HTTP requests to createinline.vm with script payloads in parameters
- Referrer headers containing malicious JavaScript
SIEM Query:
source="xwiki" AND (uri="*createinline*" AND (param="*<script>*" OR param="*javascript:*"))🔗 References
- https://github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2e
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj9-gcpg-4w2w
- https://jira.xwiki.org/browse/XWIKI-20854
- https://github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2e
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qcj9-gcpg-4w2w
- https://jira.xwiki.org/browse/XWIKI-20854
