Login Sign Up

CVE-2023-48240

9.0 CRITICAL
Authentication Bypass SSRF

📋 TL;DR

This vulnerability in XWiki Platform allows attackers to steal login and session cookies via image embedding in rendered diffs, enabling user impersonation. It also permits server-side request forgery and exposes protected content through caching issues. Affects XWiki versions 11.10.1 through 14.10.14, 15.0.0 through 15.5.0, and 15.6 RC1.

💻 Affected Systems

Products:
  • XWiki Platform
Versions: 11.10.1 through 14.10.14, 15.0.0 through 15.5.0, and 15.6 RC1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All XWiki installations with diff functionality enabled are vulnerable by default.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover via stolen session cookies, unauthorized access to protected resources, and server-side request forgery to internal systems.

🟠

Likely Case

Session hijacking leading to unauthorized wiki access and potential data exposure through cached protected content.

🟢

If Mitigated

Limited impact with proper network segmentation and external image restrictions, though still vulnerable to internal attacks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (viewing a crafted diff) but is straightforward once triggered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.10.15, 15.5.1, or 15.6

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7rfg-6273-f5wp

Restart Required: Yes

Instructions:

1. Backup your XWiki installation. 2. Download and install XWiki 14.10.15, 15.5.1, or 15.6 from xwiki.org. 3. Follow XWiki upgrade documentation. 4. Restart the application server.

🔧 Temporary Workarounds

Disable image embedding in diffs

all

Delete the diff XML JAR file to disable vulnerable image embedding functionality

rm WEB-INF/lib/xwiki-platform-diff-xml-*.jar

🧯 If You Can't Patch

  • Implement strict network controls to prevent XWiki from making external HTTP requests
  • Deploy a web application firewall (WAF) to block malicious image URLs and cookie exfiltration attempts

🔍 How to Verify

Check if Vulnerable:

Check XWiki version via Admin → About or verify if xwiki-platform-diff-xml-*.jar exists in WEB-INF/lib/

Check Version:

Check XWiki web interface at /xwiki/bin/view/Admin/About or examine xwiki.cfg file

Verify Fix Applied:

Confirm version is 14.10.15, 15.5.1, or 15.6+ via Admin → About

📡 Detection & Monitoring

Log Indicators:

  • Unusual external image requests from XWiki server
  • Multiple failed authentication attempts following diff views

Network Indicators:

  • Outbound HTTP requests from XWiki to unexpected domains
  • Cookie data in image request headers to external domains

SIEM Query:

source="xwiki.log" AND "GET /bin/view/Diff/" AND "image" AND ("http://" OR "https://")

📊 Metadata

CVE ID: CVE-2023-48240
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-201
Published: November 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-48240, you might also want to check these:

CVE-2020-27127 9.9

This critical vulnerability in Cisco Jabber allows attackers to execute arbitrary code with elevated...

Same vulnerability type (CWE-201)
CVE-2020-27133 9.9

CVE-2020-27133 is a critical vulnerability in Cisco Jabber that allows attackers to execute arbitrar...

Same vulnerability type (CWE-201)
CVE-2020-26085 9.9

This critical vulnerability in Cisco Jabber allows attackers to execute arbitrary programs with elev...

Same vulnerability type (CWE-201)