CVE-2023-29209: Arbitrary Code Execution via Legacy Notification Activity Macro in XWiki Commons

XWiki Commons, a collection of technical libraries common to various top-level XWiki projects, has been found to contain a severe security vulnerability that allows an attacker to execute arbitrary Groovy, Python, or Velocity code. This can ultimately lead to full access to the XWiki installation. The vulnerability, identified as CVE-2023-29209, affects XWiki instances with the legacy notification activity macro installed by default.

Exploit Details

The root cause of this vulnerability is the improper escaping of macro parameters within the legacy notification activity macro. An attacker with only view rights on commonly accessible documents can exploit this vulnerability, which can be done through any editable wiki page including user profiles, and even with just view rights using the HTMLConverter that is bundled with XWiki's CKEditor integration.

Here is an example of a vulnerable code snippet within the legacy notification activity macro

#macro(foo $bar)
    #set($baz = "$!bar")
#end
#foo("<script>alert('xss')</script>")

In this example, the $bar variable within the foo macro is not properly escaped, allowing for the execution of arbitrary code.

XWiki 14.10

Users are advised to upgrade their XWiki installation to one of the patched versions mentioned above to mitigate the risk of exploitation.

Original References

- XWiki Security Advisory
- XWiki Commons GitHub Repository
- CKEditor Integration for XWiki GitHub Repository
- XWiki Documentation

Conclusion

This vulnerability highlights the importance of properly sanitizing and escaping macro parameters within applications. Users of XWiki Commons should immediately upgrade their XWiki installation to a patched version to prevent potential code execution attacks. Additionally, developers should be aware of these types of vulnerabilities when building applications and always apply best practices for secure coding.

Timeline

Published on: 04/15/2023 17:15:00 UTC
Last modified on: 04/25/2023 17:26:00 UTC