CVE-2024-37898
📋 TL;DR
This vulnerability in XWiki Platform allows users with view-only permissions on a page to delete and replace it with new content, bypassing edit and delete rights. The previous page version is moved to the recycle bin where it could theoretically be accessed, though rights restrictions limit actual exploitation. This affects XWiki instances with users having view-only permissions on pages.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized content modification leading to data integrity issues, potential information disclosure if deleted content can be accessed, and disruption of wiki operations.
Likely Case
Users with view-only permissions can overwrite pages they shouldn't edit, causing content corruption and requiring administrative intervention to restore original content.
If Mitigated
With proper access controls and monitoring, impact is limited to minor content disruption that can be restored from recycle bin by administrators.
🎯 Exploit Status
Exploitation requires authenticated user with view permissions on target page. The vulnerability is straightforward to exploit once authenticated with appropriate permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: XWiki 14.10.21, 15.5.5, or 15.10.6
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-33gp-gmg3-hfpq
Restart Required: Yes
Instructions:
1. Identify current XWiki version. 2. Backup your XWiki instance. 3. Upgrade to XWiki 14.10.21, 15.5.5, or 15.10.6 depending on your current version branch. 4. Restart the XWiki application server. 5. Verify the upgrade was successful.
🔧 Temporary Workarounds
Temporary permission adjustment
allTemporarily restrict view permissions or add additional edit permissions to prevent the bypass
Adjust page permissions via XWiki administration interface to ensure users with view rights also have appropriate edit rights or restrict view access
🧯 If You Can't Patch
- Review and adjust page permissions to ensure users with view-only access don't have this permission on critical pages
- Implement monitoring for page deletion and modification events, particularly from users with only view permissions
🔍 How to Verify
Check if Vulnerable:
Check XWiki version via administration panel or by examining the application. If version is before 14.10.21, 15.5.5, or 15.10.6, the system is vulnerable.Check Version:
Check XWiki administration panel or examine the application's version informationVerify Fix Applied:
After patching, verify version shows 14.10.21, 15.5.5, or 15.10.6 or higher. Test with a user having only view permissions to confirm they cannot delete/replace pages.📡 Detection & Monitoring
Log Indicators:
- Page deletion events by users with only view permissions
- Unusual page modification patterns from view-only users
- Recycle bin operations from non-administrative users
Network Indicators:
- HTTP POST requests to page save endpoints from users with limited permissions
SIEM Query:
source="xwiki" AND (event_type="page_delete" OR event_type="page_save") AND user_permissions="view_only"🔗 References
- https://github.com/xwiki/xwiki-platform/commit/0bc27d6ec63c8a505ff950e2d1792cb4f773c22e
- https://github.com/xwiki/xwiki-platform/commit/56f5d8aab7371d5ba891168f73890806551322c5
- https://github.com/xwiki/xwiki-platform/commit/c5efc1e519e710afdf3c5f40c0fcc300ad77149f
- https://github.com/xwiki/xwiki-platform/commit/e4968fe268e5644ffd9bfa4ef6257d2796446009
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-33gp-gmg3-hfpq
- https://jira.xwiki.org/browse/XWIKI-21553
