CVE-2023-35156 in XWiki
Summary
by MITRE • 06/23/2023
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/17/2023
The vulnerability CVE-2023-35156 represents a cross-site scripting flaw in the XWiki Platform that allows remote attackers to inject malicious javascript code through specially crafted URLs. This vulnerability specifically affects the template deletion functionality within the platform's runtime services, creating a persistent security risk for organizations relying on XWiki for collaborative applications and content management. The flaw exists in the way the platform processes URL parameters when handling template deletion operations, particularly when the xpage parameter is set to xpart and the vm parameter points to delete.vm. The vulnerability has been present since version 6.0-rc-1, indicating a long-standing security gap that could have been exploited by attackers for years without detection.
The technical exploitation mechanism involves crafting malicious URLs that leverage the platform's URL rewriting capabilities to inject javascript payloads into the response. In the provided example, the URL structure xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain) demonstrates how an attacker can manipulate the xredirect parameter to execute arbitrary javascript code. This approach bypasses standard input validation mechanisms by leveraging the platform's legitimate template processing functionality, specifically targeting the delete template execution path. The vulnerability falls under CWE-79 which categorizes cross-site scripting flaws as weaknesses that allow attackers to inject client-side scripts into web applications viewed by other users.
The operational impact of this vulnerability extends beyond simple script injection, as it can enable attackers to perform more sophisticated attacks such as session hijacking, credential theft, and data exfiltration. When combined with other attack vectors, the XSS vulnerability could allow unauthorized users to gain elevated privileges or access sensitive information within the wiki environment. The fact that a partial patch was provided in version 14.10.5 but proved insufficient highlights the complexity of the vulnerability and the challenges in properly addressing cross-site scripting flaws in complex web platforms. Organizations using XWiki versions between 6.0-rc-1 and 14.10.5 (excluding the properly patched versions) remain at risk of exploitation, potentially affecting thousands of wiki instances worldwide.
The recommended mitigation strategy involves immediate upgrade to XWiki versions 14.10.6 or 15.1, which contain complete fixes for this vulnerability. Organizations unable to upgrade immediately should implement additional security controls such as web application firewalls, input validation, and output encoding to prevent malicious URL parameters from being processed. Security teams should also conduct thorough vulnerability assessments of their XWiki installations to identify any other potential attack vectors within the platform's template processing system. The vulnerability demonstrates the importance of proper parameter validation in web applications and aligns with ATT&CK technique T1566 which covers social engineering attacks that can be facilitated by XSS vulnerabilities, making this a critical security concern for any organization relying on wiki platforms for collaborative work environments.