CVE-2023-45137
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in XWiki Platform that allows attackers to inject malicious scripts into error messages when creating documents. The vulnerability affects XWiki installations where users can create documents, potentially allowing session hijacking, credential theft, or unauthorized actions. Attackers must first create a document with malicious content in its name to exploit this vulnerability.
💻 Affected Systems
- XWiki Platform
- XWiki Platform Web
- XWiki Platform Web Templates
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover, session hijacking, credential theft, or installation of backdoors through malicious JavaScript execution in users' browsers.
Likely Case
Session hijacking or credential theft when users encounter the malicious error message, potentially leading to unauthorized access to wiki content.
If Mitigated
Limited impact with proper Content Security Policy (CSP) headers and input validation, though XSS could still execute in some contexts.
🎯 Exploit Status
Exploitation requires document creation privileges and involves creating a document with malicious content in its name, then triggering the error condition.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: org.xwiki.platform:xwiki-platform-web 13.4-rc-1 or later; org.xwiki.platform:xwiki-platform-web-templates 14.10.12 or 15.5-rc-1 or later
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-93gh-jgjj-r929
Restart Required: Yes
Instructions:
1. Upgrade to patched versions. 2. For manual patching, apply changes from commit ed8ec747967f8a16434806e727a57214a8843581 to createinline.vm template. 3. Restart XWiki service.
🔧 Temporary Workarounds
Restrict Document Creation
allLimit document creation privileges to trusted users only to prevent exploitation.
Apply Content Security Policy
allImplement strict CSP headers to mitigate XSS impact.
🧯 If You Can't Patch
- Implement strict input validation for document names to block malicious characters
- Deploy web application firewall (WAF) rules to detect and block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check XWiki version and verify if createinline.vm template lacks proper escaping for error messages in document creation.Check Version:
Check XWiki administration panel or examine WAR file version metadata.Verify Fix Applied:
Verify version is patched or check that createinline.vm template includes proper HTML escaping for error messages.📡 Detection & Monitoring
Log Indicators:
- Unusual document creation attempts with special characters in names
- Multiple failed document creation attempts triggering error messages
Network Indicators:
- HTTP requests containing XSS payloads in document creation parameters
SIEM Query:
Search for document creation events with suspicious characters (<, >, ", ', &, etc.) in document names🔗 References
- https://github.com/xwiki/xwiki-platform/commit/ed8ec747967f8a16434806e727a57214a8843581
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-93gh-jgjj-r929
- https://jira.xwiki.org/browse/XWIKI-20961
- https://github.com/xwiki/xwiki-platform/commit/ed8ec747967f8a16434806e727a57214a8843581
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-93gh-jgjj-r929
- https://jira.xwiki.org/browse/XWIKI-20961
