CVE-2023-35162 in XWiki
Summary
by MITRE • 06/23/2023
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as: > /xwiki/bin/get/FlamingoThemes/Cerulean xpage=xpart&vm=previewactions.vm&xcontinue=javascript:alert(document.domain). This vulnerability exists since XWiki 6.1-rc-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2023
The CVE-2023-35162 vulnerability represents a critical cross-site scripting flaw within the XWiki Platform, a widely-used generic wiki platform that serves as a foundation for various enterprise applications. This vulnerability specifically affects the previewactions template functionality, which allows users to manipulate URL parameters to inject malicious javascript code into web pages. The flaw enables attackers to construct specially crafted URLs that can execute arbitrary javascript when processed by the platform's rendering engine, creating a significant security risk for organizations relying on XWiki for collaborative content management and document sharing.
The technical exploitation mechanism of this vulnerability involves manipulating the URL structure to target the previewactions.vm template through the xpage parameter, combined with the vm parameter pointing to the previewactions.vm file. The attack vector specifically leverages the xcontinue parameter to inject javascript payloads, as demonstrated in the example using javascript:alert(document.domain). This approach bypasses normal input validation mechanisms by exploiting the platform's template processing system, where the injected javascript code gets executed in the context of the victim's browser session. The vulnerability has existed since version 6.1-rc-1, indicating a prolonged exposure window that could have allowed extensive exploitation by threat actors.
The operational impact of this vulnerability extends beyond simple script execution, as it can be leveraged for more sophisticated attacks including session hijacking, credential theft, and data exfiltration. When users navigate to maliciously crafted URLs, the injected javascript can access the victim's session cookies, potentially allowing attackers to impersonate legitimate users and gain unauthorized access to sensitive information. The vulnerability affects organizations using XWiki versions prior to 14.10.5 and 15.1-rc-1, creating a substantial risk for enterprises that have not yet applied the necessary security patches. This exposure could enable attackers to compromise user accounts, access confidential documents, and potentially escalate privileges within the wiki platform.
Security professionals should note this vulnerability maps to CWE-79 Cross-site Scripting in the Common Weakness Enumeration catalog, specifically classifying as a stored XSS variant that occurs during template processing. The ATT&CK framework categorizes this as a technique for initial access and privilege escalation through web application vulnerabilities. Organizations should prioritize immediate patching of affected systems to remediate this vulnerability, as the extended timeframe of exposure suggests potential exploitation in the wild. The patching process should include updating to XWiki 14.10.5 or 15.1-rc-1, with additional monitoring for suspicious URL patterns and user behavior that might indicate exploitation attempts.