CVE-2023-37277: XWiki Platform vulnerable to cross-site request forgery (CSRF) via the REST API
First published: Mon Jul 10 2023(Updated: )
### Impact The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery. With the interaction of a user with programming rights, this allows remote code execution through script macros and thus impacts the integrity, availability and confidentiality of the whole XWiki installation. For regular cookie-based authentication, the vulnerability is mitigated by SameSite cookie restrictions but as of March 2023, these are not enabled by default in Firefox and Safari. ### Patches The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a CSRF token header for certain request types that are susceptible to CSRF attacks. ### Workarounds It is possible to check for the `Origin` header in a reverse proxy to protect the REST endpoint from CSRF attacks, see [the Jira issue](https://jira.xwiki.org/browse/XWIKI-20135) for an example configuration. ### References * https://jira.xwiki.org/browse/XWIKI-20135 * https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | >=1.8<14.10.8 | |
| Xwiki Xwiki | >=15.0<15.2 | |
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=15.0-rc-1<15.2 | 15.2 |
| maven/com.xpn.xwiki.platform:xwiki-rest | >=1.8<14.10.8 | 14.10.8 |
| maven/com.xpn.xwiki.platform:xwiki-core-rest-server | >=1.8<14.10.8 | 14.10.8 |
| maven/org.xwiki.platform:xwiki-platform-rest-server | >=1.8<14.10.8 | 14.10.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://jira.xwiki.org/browse/XWIKI-20135
- https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6
- https://nvd.nist.gov/vuln/detail/CVE-2023-37277
- https://github.com/advisories/GHSA-6xxr-648m-gch6 (Advisory)
Frequently Asked Questions
What is CVE-2023-37277?
CVE-2023-37277 is a vulnerability in XWiki Platform that allows execution of all actions via POST requests with certain content types, potentially leading to unauthorized access or other attacks.
How severe is CVE-2023-37277?
CVE-2023-37277 has a severity rating of critical with a score of 9.
Which versions of XWiki Platform are affected by CVE-2023-37277?
Versions between 1.8 and 14.10.8, and versions between 15.0 and 15.2 of XWiki Platform are affected by CVE-2023-37277.
How can I fix CVE-2023-37277?
To fix CVE-2023-37277, it is recommended to update XWiki Platform to a version that includes the necessary security patches.
Where can I find more information about CVE-2023-37277?
You can find more information about CVE-2023-37277 in the XWiki issue tracker and security advisories.
- collector/nvd-latest
- collector/nvd-index
- collector/github-advisory-latest
- alias/GHSA-6xxr-648m-gch6
- alias/CVE-2023-37277
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/remedy
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/tags
- agent/first-publish-date
- agent/event
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/15.0
- version/xwiki xwiki/1.8
- package-manager/maven