The XWiki Commons project, consisting of technical libraries used by many popular XWiki projects, has been identified to contain a security vulnerability in the restricted mode of its HTML cleaner, which has been present since version 4.2-milestone-1. This vulnerability enables attackers to inject malicious JavaScript code using certain attributes and HTML tags like <iframe> that are not escaped properly, resulting in cross-site scripting (XSS) attacks. In this blog post, we will dive into the details of the vulnerability, provide code examples, and discuss the potential impact on applications that rely on XWiki Commons. We will also provide links to references and discuss the current resolution for this issue.

Exploit Details

The restricted mode of the HTML cleaner in XWiki Commons, designed to remove potentially harmful content from HTML, unfortunately only escaped <script> and <style> tags but not other dangerous HTML tags or attributes that could be used to inject scripts. Consequently, applications relying on this mode for security purposes are left vulnerable to cross-site scripting (XSS) attacks.

An example of exploiting this vulnerability would involve an attacker posting a comment on an XWiki page that contains malicious JavaScript code within an unescaped HTML tag or attribute. The code snippet below demonstrates an example of such an attack using the <iframe> tag:

<iframe src="javascript:alert('XSS Vulnerability')"></iframe>

When a privileged user, who possesses programming rights, visits the XWiki page containing such a comment, the malicious JavaScript code is executed in the context of their user session. This could potentially compromise the confidentiality, integrity, and availability of the affected XWiki instance.

Fix and Resolution

XWiki developers have addressed this security vulnerability in version 14.6 RC1 of the XWiki Commons project. They introduced a new filter that is enabled in restricted mode, which specifies a list of allowed HTML elements and attributes. This filter effectively prevents JavaScript injection via the restricted mode HTML cleaner.

To protect your XWiki instance from this vulnerability, it is highly recommended to upgrade to a version containing the fix, i.e., XWiki Commons version 14.6 RC1 or later. There are no known workarounds apart from upgrading to a version including the fix.

Original References

1. The official XWiki Commons website: XWiki Commons
2. XWiki 14.6 RC1 release notes: XWiki 14.6 RC1
3. CVE-2023-29201 details: CVE-2023-29201

Conclusion

In this blog post, we have discussed the CVE-2023-29201 vulnerability affecting the restricted mode of the HTML cleaner in the XWiki Commons project. By not adequately escaping certain HTML tags and attributes, this vulnerability has left applications leveraging XWiki Commons vulnerable to JavaScript injection and cross-site scripting attacks. To secure your applications and ensure the privacy and integrity of your users, it is strongly recommended to upgrade to a version of XWiki Commons containing the necessary security fix as soon as possible.

Timeline

Published on: 04/15/2023 15:15:00 UTC
Last modified on: 04/25/2023 18:26:00 UTC