CVE-2023-35155 in XWiki
Summary
by MITRE • 06/23/2023
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). For instance, the following URL execute an `alter` on the browser: `/xwiki/bin/view/Main/?viewer=share&send=1&target=&target=%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Cimg+src+onerror%3Dalert%28document.domain%29%3E+%3Crenniepak%40intigriti.me%3E&includeDocument=inline&message=I+wanted+to+share+this+page+with+you.`, where `` is the URL of your XWiki installation. The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2023
The vulnerability CVE-2023-35155 represents a cross-site scripting vulnerability within the XWiki Platform, a widely-used generic wiki platform that provides runtime services for applications built upon it. This security flaw allows attackers to inject malicious JavaScript code through crafted URLs, potentially compromising user sessions and enabling further attack vectors. The vulnerability specifically affects how the platform processes URL parameters, particularly in the viewer functionality that handles document sharing operations. The flaw exists in the parameter validation and output encoding mechanisms that fail to properly sanitize user-supplied input before rendering it within web pages.
The technical implementation of this vulnerability occurs through the manipulation of URL parameters, particularly the target parameter which is processed without adequate sanitization. When users access the vulnerable endpoint with maliciously crafted payloads, the platform fails to properly encode or validate the input data before displaying it in the browser context. The specific payload demonstrated in the vulnerability description uses HTML img tags with onerror attributes that trigger JavaScript execution when the browser attempts to load the image. This particular technique exploits the browser's handling of malformed image sources, where the onerror event handler executes the injected JavaScript code. The vulnerability affects multiple versions of XWiki including 15.0-rc-1, 14.10.4, and 14.4.8, indicating it was present across a significant range of the platform's release cycle and represents a persistent issue in the codebase's input validation mechanisms.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal user credentials, redirect users to malicious sites, or even execute more sophisticated attacks such as defacement of wiki content. The vulnerability specifically affects the document sharing functionality where users can share pages with others, making it particularly dangerous in collaborative environments where multiple users interact with shared content. Attackers can leverage this flaw to inject malicious code that persists across user sessions and can be triggered when other users access the compromised pages. The vulnerability also creates opportunities for privilege escalation if the affected XWiki instance has users with administrative capabilities, as attackers could potentially manipulate shared documents to affect broader system functionality.
Security practitioners should note that this vulnerability aligns with CWE-79, which describes cross-site scripting flaws in web applications, and demonstrates the critical importance of proper input validation and output encoding in web security. The ATT&CK framework categorizes this as a code injection technique, specifically targeting the web application layer where user input is not properly sanitized. Organizations using XWiki platforms should immediately implement the patches released in versions 15.0-rc-1, 14.10.4, and 14.4.8 to remediate this vulnerability. Additional mitigations include implementing content security policies, conducting regular security assessments of URL parameter handling, and establishing proper input validation for all user-supplied data. The vulnerability also underscores the importance of maintaining current security practices and regular patch management, as similar issues often arise from inadequate sanitization of user inputs in web applications. Organizations should also consider implementing web application firewalls and monitoring for suspicious URL patterns that may indicate exploitation attempts.