CVE-2023-35153 in XWiki
Summary
by MITRE • 06/23/2023
XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a `AppWithinMinutes.FormFieldCategoryClass` class on a page and setting the payload on the page title. Then, any user visiting `/xwiki/bin/view/AppWithinMinutes/ClassEditSheet` executes the payload. The issue has been patched in XWiki 14.4.8, 14.10.4, and 15.0. As a workaround, update `AppWithinMinutes.ClassEditSheet` with a patch.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2023
The vulnerability CVE-2023-35153 represents a stored cross-site scripting flaw in the XWiki Platform that affects versions prior to 14.4.8, 14.10.4, and 15.0. This security weakness stems from insufficient input validation and output encoding mechanisms within the platform's application within minutes feature. The vulnerability specifically targets the `AppWithinMinutes.FormFieldCategoryClass` class implementation, where malicious payloads can be injected through page title manipulation. The flaw exists because the platform fails to properly sanitize user-provided content when rendering class edit sheets, creating an environment where authenticated users with edit permissions can inject malicious scripts that persist in the system's database.
The technical exploitation mechanism involves a user with edit privileges adding a specially crafted `AppWithinMinutes.FormFieldCategoryClass` class to a wiki page and embedding malicious code within the page title field. When any user subsequently accesses the `/xwiki/bin/view/AppWithinMinutes/ClassEditSheet` endpoint, the platform executes the stored payload without proper sanitization. This creates a persistent XSS vulnerability where the malicious script runs in the context of the victim's browser, potentially enabling session hijacking, credential theft, or redirection to malicious sites. The vulnerability aligns with CWE-79, which categorizes cross-site scripting as a code injection flaw, and represents a stored XSS variant that can affect multiple users over time.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with persistent access to user sessions and potentially sensitive information. Any user visiting the affected class edit sheet endpoint becomes a victim of the stored payload, making this particularly dangerous in collaborative environments where multiple users regularly access shared wiki pages. The vulnerability affects the core functionality of XWiki's application within minutes feature, which allows users to create custom forms and applications directly within the wiki environment. Attackers could leverage this flaw to escalate privileges, steal administrative credentials, or deploy additional malicious payloads that persist across user sessions. The impact is particularly severe because the vulnerability requires minimal privileges to exploit, just edit rights on a wiki page, making it accessible to a broad range of potential attackers.
Organizations using affected XWiki versions should immediately implement the official patches released in versions 14.4.8, 14.10.4, and 15.0 to address this vulnerability. As a temporary workaround, administrators should update the `AppWithinMinutes.ClassEditSheet` template with appropriate input sanitization measures and output encoding. Security teams should also implement monitoring for unusual page modifications, particularly in areas where the application within minutes feature is used. The mitigation strategy should include regular security scanning of wiki content for malicious payloads, implementing proper input validation at all entry points, and ensuring that users with edit privileges are properly vetted and monitored. This vulnerability demonstrates the importance of proper security controls in collaborative platforms and aligns with ATT&CK technique T1059.001 for command and scripting interpreter, as the stored XSS could enable attackers to execute arbitrary commands through browser-based attacks. The incident highlights the need for comprehensive security testing of web application components and proper sanitization of user-generated content in wiki and content management systems.