CVE-2023-29516: Arbitrary Code Execution Vulnerability in XWiki Platform

A critical vulnerability has been discovered in XWiki Platform that allows any user with view rights on XWiki.AttachmentSelector to execute arbitrary Groovy, Python, or Velocity code in XWiki, leading to full access to the XWiki installation. This vulnerability has been assigned CVE-2023-29516 and has been fixed in XWiki versions 15.-rc-1, 14.10.1, 14.4.8, and 13.10.11. No known workarounds are currently available for this issue.

Introduction

XWiki Platform is a popular open-source generic wiki platform and collaborative application builder, which offers runtime services for applications built on top of it. A recently discovered vulnerability (CVE-2023-29516) in XWiki Platform enables attackers to execute arbitrary code on the system if they possess view rights on XWiki.AttachmentSelector.

Root Cause

The root cause of this vulnerability is improper escaping in the "Cancel and return to page" button on the XWiki.AttachmentSelector page, which comes installed by default. Due to this issue, any user with view rights on the page can execute arbitrary code, leading to potential security breaches.

Code Snippet

Below is a code snippet that demonstrates the vulnerability in the "Cancel and return to page" button. This example is for illustration purposes only and should not be used to exploit the vulnerability on a live system.

xwiki.XWiki.initialize();
xwiki.wysiwyg.select.custom('test', function(editorURL) {
    document.location.href = '${xwiki.getURL('Main.WebHome')}';
}, null, 'return ${xwiki.jsfx.use('js/xwiki/wysiwyg/xwikiattachmentselector.js', true)}');

Exploit Details

The vulnerability allows attackers to inject arbitrary code, such as Groovy, Python, or Velocity, in the XWiki platform. With full access to the XWiki installation, attackers can take control of the XWiki system and launch further attacks.

13.10.11

It is strongly recommended that users upgrade to one of these patched versions to protect their systems from this critical vulnerability.

For more information about this vulnerability and its patch, please refer to the following resources

- XWiki Security Advisory: https://www.xwiki.org/xwiki/bin/view/Security/XWIKI-SA-2023-3
- CVE-2023-29516: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-29516
- XWiki Platform: https://www.xwiki.org/

Conclusion

CVE-2023-29516 is a critical vulnerability in XWiki Platform that allows attackers to execute arbitrary code if they have view rights on XWiki.AttachmentSelector. It is essential to upgrade to one of the patched XWiki versions (15.-rc-1, 14.10.1, 14.4.8, and 13.10.11) to protect your XWiki installation from potential exploits. No known workarounds are currently available for this issue.

Timeline

Published on: 04/19/2023 00:15:00 UTC
Last modified on: 04/28/2023 17:26:00 UTC