CVE-2023-45144: Remote code execution from login screen through unescaped URL parameter in OAuth Identity XWiki App
First published: Mon Oct 16 2023(Updated: )
### Impact When login via the OAuth method, the identityOAuth parameters, sent in a GET request is vulnerable to XSS and XWiki syntax injection. This allows remote code execution via the groovy macro and thus affects the confidentiality, integrity and availability of the whole XWiki installation. The vulnerability is in [this part](https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58) of the code. ### Patches The issue has been fixed in Identity OAuth version 1.6 by https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6 . The fix is in the content of the [IdentityOAuth/LoginUIExtension](https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188) file ### Workarounds There are no known workarounds besides upgrading. ### References _Are there any links users can visit to find out more?_ * Original report: https://jira.xwiki.org/browse/XWIKI-20719
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/com.xwiki.identity-oauth:identity-oauth-ui | >=1.0<1.6 | 1.6 |
| Xwiki Oauth Identity | >=1.0<1.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwikisas/identity-oauth/security/advisories/GHSA-h2rm-29ch-wfmh
- https://nvd.nist.gov/vuln/detail/CVE-2023-45144
- https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6
- https://github.com/xwikisas/identity-oauth/commit/d805d3154b17c6bf455ddf5deb0a3461a3833bc6#diff-2ab2e0716443d790d7d798320e4a45151661f4eca5440331f4a227b29c87c188
- https://github.com/xwikisas/identity-oauth/blob/master/ui/src/main/resources/IdentityOAuth/LoginUIExtension.vm#L58
- https://jira.xwiki.org/browse/XWIKI-20719
- https://github.com/advisories/GHSA-h2rm-29ch-wfmh (Advisory)
Frequently Asked Questions
What is the impact of CVE-2023-45144?
The vulnerability allows remote code execution via the groovy macro, affecting the confidentiality, integrity, and availability of the XWiki installation.
How does CVE-2023-45144 affect the XWiki installation?
CVE-2023-45144 allows an attacker to execute remote code through the groovy macro, compromising the confidentiality, integrity, and availability of the XWiki installation.
How can CVE-2023-45144 be exploited?
The vulnerability can be exploited by sending malicious identityOAuth parameters in a GET request when logging in via the OAuth method.
Which software versions are affected by CVE-2023-45144?
The vulnerability affects versions 1.0 to 1.6 of the com.xwiki.identity-oauth:identity-oauth-ui package in XWiki.
Is there a fix available for CVE-2023-45144?
Yes, updating the com.xwiki.identity-oauth:identity-oauth-ui package to version 1.6 or higher will fix the vulnerability.
- collector/github-advisory-latest
- alias/GHSA-h2rm-29ch-wfmh
- alias/CVE-2023-45144
- collector/nvd-api
- collector/nvd-index
- collector/github-advisory
- collector/nvd-cve
- agent/type
- agent/remedy
- agent/softwarecombine
- agent/references
- agent/title
- agent/author
- agent/weakness
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- package-manager/maven
- vendor/xwiki
- canonical/xwiki oauth identity
- version/xwiki oauth identity/1.0