CVE-2023-46242: Code injection in XWiki Platform
First published: Tue Nov 07 2023(Updated: )
### Impact In XWiki Platform, it's possible to execute content with the right of any user if you can make this user follow a crafted URL. This is possible because edit action sets and thereby executes the page content without checking for a cross-site request forgert (CSRF) token. To reproduce: Get a user with programming rights to visit the URL `<xwiki-host>/xwiki/bin/edit/Main/?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view`, where `<xwiki-host>` is the URL of your XWiki installation. This can be done by embedding an image with this URL. The text "Hello from Groovy!" is displayed in the page content, showing that the Groovy macro has been executed. ### Patches This has been patched in XWiki 14.10.7 and 15.2-RC-1. ### Workarounds There are no known workarounds for it. ### References * https://jira.xwiki.org/browse/XWIKI-20386 * https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org)
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | >=1.0<14.10.7 | |
| Xwiki Xwiki | >=15.0<15.2 | |
| maven/org.xwiki.platform:xwiki-platform-oldcore | >=15.0<15.2-rc-1 | 15.2-rc-1 |
| maven/org.xwiki.platform:xwiki-platform-oldcore | >=1.0<14.10.7 | 14.10.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-hgpw-6p4h-j6h5
- https://jira.xwiki.org/browse/XWIKI-20386
- https://nvd.nist.gov/vuln/detail/CVE-2023-46242
- https://github.com/advisories/GHSA-hgpw-6p4h-j6h5 (Advisory)
Frequently Asked Questions
What is the impact of CVE-2023-46242?
The impact of CVE-2023-46242 is that it allows an attacker to execute content with the rights of any user if they can make the user follow a crafted URL.
How can I reproduce the vulnerability in CVE-2023-46242?
To reproduce the vulnerability in CVE-2023-46242, you need to get a user with programming rights to visit the URL <xwiki-host>/xwiki/bin/edit/Main/?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7D%7D
What is the affected software version for CVE-2023-46242?
The affected software versions for CVE-2023-46242 are XWiki Platform 15.0 to 15.2-rc-1 and XWiki Platform 1.0 to 14.10.7.
What is the severity of CVE-2023-46242?
The severity of CVE-2023-46242 is critical with a score of 9.7.
How can I fix CVE-2023-46242?
To fix CVE-2023-46242, update to XWiki Platform version 15.2-rc-1 or 14.10.7.
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-hgpw-6p4h-j6h5
- alias/CVE-2023-46242
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/severity
- agent/title
- agent/weakness
- agent/type
- agent/event
- agent/description
- agent/remedy
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/references
- collector/mitre-cve
- source/MITRE
- vendor/xwiki
- canonical/xwiki xwiki
- version/xwiki xwiki/1.0
- version/xwiki xwiki/15.0
- package-manager/maven