CVE-2023-36477: Persistent Cross-site Scripting (XSS) through CKEditor Configuration pages in XWiki Platform
First published: Fri Jun 30 2023(Updated: )
### Effect Any user with edit rights can edit all pages in the `CKEditor' space. This makes it possible to perform a variety of harmful actions, such as - removing technical documents, leading to loss of service - Editing the javascript configuration of CKEditor, leading to persistent XSS ### Patches This issue has been patched in XWiki 14.10.6 and XWiki 15.1. This issue has been patched on the CKEditor Integration extension 1.64.9 for XWiki version older than 14.6RC1. ### Workarounds The issue can be fixed manually by restricting the `edit` and `delete` rights to a trusted user or group (e.g. the `XWiki.XWikiAdminGroup` group), implicitly disabling those rights for all other users. See https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f ### References - https://jira.xwiki.org/browse/XWIKI-20590 - https://jira.xwiki.org/browse/CKEDITOR-508 - https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Ckeditor Integration | >=1.9<1.64.9 | |
| Xwiki Xwiki | >=14.6<14.10.6 | |
| Xwiki Xwiki | =15.0 | |
| Xwiki Xwiki | =15.0-rc1 | |
| maven/org.xwiki.platform:xwiki-platform-ckeditor-ui | >=15.0-rc-1<15.1 | 15.1 |
| maven/org.xwiki.contrib:application-ckeditor-ui | >=1.9<1.64.9 | 1.64.9 |
| maven/org.xwiki.platform:xwiki-platform-ckeditor-ui | >=14.6-rc-1<14.10.6 | 14.10.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4f
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-793w-g325-hrw2
- https://jira.xwiki.org/browse/CKEDITOR-508
- https://jira.xwiki.org/browse/XWIKI-20590
- https://nvd.nist.gov/vuln/detail/CVE-2023-36477
- https://github.com/advisories/GHSA-793w-g325-hrw2 (Advisory)
Frequently Asked Questions
What is CVE-2023-36477?
CVE-2023-36477 is a vulnerability in the XWiki Platform that allows any user with edit rights to edit all pages in the CKEditor space, potentially leading to harmful actions and loss of service.
How severe is CVE-2023-36477?
CVE-2023-36477 has a severity level of critical, with a severity score of 5.4.
Which software versions are affected by CVE-2023-36477?
Versions 1.9 to 1.64.9 of Xwiki Ckeditor Integration, versions 14.6 to 14.10.6 of Xwiki Xwiki, version 15.0 and version 15.0-rc1 of Xwiki Xwiki are affected by CVE-2023-36477.
How can I fix CVE-2023-36477?
To fix CVE-2023-36477, it is recommended to update to a version of XWiki Platform that is not affected by this vulnerability.
Where can I find more information about CVE-2023-36477?
More information about CVE-2023-36477 can be found in the XWiki Platform's GitHub repository, XWiki Platform's security advisories page, and the related JIRA issue CKEDITOR-508.
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-793w-g325-hrw2
- alias/CVE-2023-36477
- collector/nvd-cve
- collector/github-advisory
- agent/references
- agent/author
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/description
- agent/tags
- agent/event
- agent/first-publish-date
- vendor/xwiki
- canonical/xwiki ckeditor integration
- version/xwiki ckeditor integration/1.9
- canonical/xwiki xwiki
- version/xwiki xwiki/14.6
- version/xwiki xwiki/15.0
- version/xwiki xwiki/15.0-rc1
- package-manager/maven