CVE-2023-45137 in XWiki
Summary
by MITRE • 10/26/2023
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. `org.xwiki.platform:xwiki-platform-web` starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, are vulnerable to cross-site scripting. When trying to create a document that already exists, XWiki displays an error message in the form for creating it. Due to missing escaping, this error message is vulnerable to raw HTML injection and thus XSS. The injected code is the document reference of the existing document so this requires that the attacker first creates a non-empty document whose name contains the attack code. This has been patched in `org.xwiki.platform:xwiki-platform-web` version 13.4-rc-1 and `org.xwiki.platform:xwiki-platform-web-templates` versions 14.10.12 and 15.5-rc-1 by adding the appropriate escaping. The vulnerable template file `createinline.vm` is part of XWiki's WAR and can be patched by manually applying the changes from the fix.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/18/2023
The vulnerability CVE-2023-45137 affects the XWiki Platform, a widely used generic wiki platform that provides runtime services for applications built on top of it. This cross-site scripting vulnerability exists in multiple components including org.xwiki.platform:xwiki-platform-web and org.xwiki.platform:xwiki-platform-web-templates. The flaw is particularly concerning as it demonstrates how seemingly benign error handling can become a security risk when proper input sanitization is omitted. The vulnerability impacts versions starting from 3.1-milestone-2 up to but not including 13.4-rc-1 for the main web component, and versions prior to 14.10.12 and 15.5-rc-1 for the web templates component. The security implications are significant as this vulnerability enables attackers to execute malicious scripts in the context of a victim's browser, potentially leading to session hijacking, data theft, or privilege escalation.
The technical flaw manifests in the document creation process where XWiki displays error messages when users attempt to create documents that already exist. The vulnerability stems from insufficient HTML escaping in the error message generation, specifically within the createinline.vm template file. When an error occurs, the system displays the document reference of the existing document as part of the error message, but fails to properly escape this content before rendering it in the browser. This raw HTML injection vulnerability allows attackers to inject malicious JavaScript code that gets executed when users view the error message. The attack requires a specific prerequisite where the attacker must first create a document with a name containing the malicious code, as the vulnerability only affects the display of existing document references in error messages. This represents a classic reflected XSS vulnerability pattern where user-controllable input flows directly into the output without proper sanitization.
The operational impact of this vulnerability extends beyond simple script execution as it can be leveraged for more sophisticated attacks within the XWiki environment. According to CWE classification, this vulnerability maps to CWE-79: Improper Neutralization of Input During Web Page Generation, which is a fundamental web application security weakness. The attack vector requires user interaction and specific conditions to be met, making it less trivial than some other XSS vulnerabilities, but still poses a genuine threat to XWiki deployments. The vulnerability affects the core functionality of document management within the platform, potentially allowing attackers to manipulate user sessions, steal sensitive information, or gain unauthorized access to restricted areas. Organizations running XWiki platforms in production environments are particularly at risk as this vulnerability can be exploited by unauthenticated users to compromise the security of the entire wiki system.
The recommended mitigations for CVE-2023-45137 involve upgrading to the patched versions of the affected components. The fix implemented in org.xwiki.platform:xwiki-platform-web version 13.4-rc-1 and org.xwiki.platform:xwiki-platform-web-templates versions 14.10.12 and 15.5-rc-1 addresses the vulnerability by adding proper HTML escaping to the error message generation process. This aligns with ATT&CK framework technique T1203: Exploitation for Client Execution, which covers the use of XSS vulnerabilities for client-side exploitation. Organizations should prioritize upgrading their XWiki installations to the patched versions to eliminate the risk. For environments where immediate upgrades are not feasible, manual patching of the createinline.vm template file is recommended as an interim solution. The fix ensures that document references displayed in error messages are properly escaped before rendering, preventing malicious code injection. Security teams should also implement additional monitoring for suspicious document creation patterns and consider implementing Content Security Policy headers as an additional defense-in-depth measure to mitigate potential exploitation attempts.