CVE-2023-48240 in XWiki
Summary
by MITRE • 11/20/2023
XWiki Platform is a generic wiki platform. The rendered diff in XWiki embeds images to be able to compare the contents and not display a difference for an actually unchanged image. For this, XWiki requests all embedded images on the server side. These requests are also sent for images from other domains and include all cookies that were sent in the original request to ensure that images with restricted view right can be compared. Starting in version 11.10.1 and prior to versions 14.10.15, 15.5.1, and 15.6, this allows an attacker to steal login and session cookies that allow impersonating the current user who views the diff. The attack can be triggered with an image that references the rendered diff, thus making it easy to trigger. Apart from stealing login cookies, this also allows server-side request forgery (the result of any successful request is returned in the image's source) and viewing protected content as once a resource is cached, it is returned for all users. As only successful requests are cached, the cache will be filled by the first user who is allowed to access the resource. This has been patched in XWiki 14.10.15, 15.5.1 and 15.6. The rendered diff now only downloads images from trusted domains. Further, cookies are only sent when the image's domain is the same the requested domain. The cache has been changed to be specific for each user. As a workaround, the image embedding feature can be disabled by deleting `xwiki-platform-diff-xml-.jar` in `WEB-INF/lib/`.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/14/2023
The vulnerability CVE-2023-48240 affects the XWiki Platform, a generic wiki platform that provides rendering capabilities for document differences. The flaw resides in how the platform handles image embedding within rendered diffs, creating a critical security risk through improper handling of cross-domain requests and authentication cookies. This vulnerability specifically impacts versions 11.10.1 through 14.10.14 and 15.5.0, where the system's diff rendering mechanism inadvertently exposes sensitive authentication data.
The technical implementation of this vulnerability stems from XWiki's approach to comparing document content by embedding images from the server-side. When rendering diffs, the system makes requests to retrieve embedded images from the same server, but these requests include all cookies from the original request to maintain access controls for images with restricted viewing rights. This design flaw becomes exploitable when an attacker crafts a malicious image that references the rendered diff page, allowing the attack to execute automatically when users view the diff. The mechanism operates through server-side request forgery where requests to external domains include the user's authentication cookies, enabling unauthorized access to protected resources.
The operational impact of this vulnerability is severe and multifaceted, encompassing credential theft, unauthorized access, and data exposure. Attackers can steal login cookies and session identifiers, enabling full impersonation of legitimate users who view the affected diff pages. This represents a direct violation of authentication controls and can lead to complete account compromise. Additionally, the vulnerability enables server-side request forgery attacks where the system makes requests to internal or external resources using the victim's credentials, potentially accessing protected content or performing unauthorized operations. The caching mechanism exacerbates the risk by allowing successful requests to be cached and subsequently returned to all users, meaning that once an attacker gains access to protected resources through this method, the cache serves those resources to every subsequent user who accesses the diff.
The vulnerability aligns with CWE-352 (Cross-Site Request Forgery) and CWE-200 (Information Exposure) categories, while also demonstrating characteristics of ATT&CK technique T1566 (Phishing) through the automatic execution mechanism and T1567 (Exfiltration Over Web Service) through the data retrieval capabilities. The attack vector is particularly dangerous because it requires minimal user interaction beyond viewing the diff page, making it highly effective for mass credential theft. The patch implemented by XWiki addresses these issues by restricting image downloads to trusted domains only, implementing domain-based cookie sending controls, and changing the caching mechanism to be user-specific rather than global. This multi-layered approach effectively eliminates the credential theft risk while maintaining the platform's core functionality.
Organizations using affected XWiki versions should immediately apply the available patches to versions 14.10.15, 15.5.1, and 15.6, which contain the necessary security fixes. As a temporary workaround, administrators can disable the vulnerable image embedding feature by removing the `xwiki-platform-diff-xml-.jar` file from the `WEB-INF/lib/` directory, though this approach limits the platform's diff rendering capabilities. The security implications extend beyond immediate credential theft to potential internal network reconnaissance and unauthorized access to sensitive information, making prompt remediation essential for maintaining system integrity and user authentication security.