CVE-2023-50721: XWiki Platform RCE from account through SearchAdmin
First published: Fri Dec 15 2023(Updated: )
### Impact The search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user. To reproduce, edit any document with the object editor, add an object of type `XWiki.UIExtensionClass`, set "Extension Point Id" to `org.xwiki.platform.search`, set "Extension ID" to `{{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from extension id succeeded!"){{/groovy}}{{/async}}`, set "Extension Parameters" to `label={{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from label succeeded!"){{/groovy}}{{/async}}` and "Extension Scope" to "Current User". Then open the page `XWiki.SearchAdmin`, e.g., on http://localhost:8080/xwiki/bin/view/XWiki/SearchAdmin. If there are error log messages in XWiki's log that announce that attacks succeeded, the instance is vulnerable. ### Patches The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766#diff-2272c913e5ca43813e52f8fa748c9b043bf0f01561908d7eba6ca3601d8475c4) can be manually applied to the page `XWiki.SearchAdmin`. ### References * https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766 * https://jira.xwiki.org/browse/XWIKI-21200
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.xwiki.platform:xwiki-platform-search-ui | >=15.6-rc-1<15.7-rc-1 | 15.7-rc-1 |
| maven/org.xwiki.platform:xwiki-platform-search-ui | >=15.0-rc-1<15.5.2 | 15.5.2 |
| maven/org.xwiki.platform:xwiki-platform-search-ui | >=4.5-rc-1<14.10.15 | 14.10.15 |
| Xwiki | >=4.5<14.10.5 | |
| Xwiki | >=15.0<15.5.2 | |
| Xwiki | =15.6 | |
| Xwiki | =15.6-rc1 | |
| Xwiki | =15.7-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7654-vfh6-rw6x
- https://nvd.nist.gov/vuln/detail/CVE-2023-50721
- https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766
- https://jira.xwiki.org/browse/XWIKI-21200
- https://github.com/advisories/GHSA-7654-vfh6-rw6x (Advisory)
Frequently Asked Questions
What is the severity of CVE-2023-50721?
CVE-2023-50721 has a high severity rating due to the potential for remote code execution.
How do I fix CVE-2023-50721?
To fix CVE-2023-50721, you should upgrade to XWiki version 15.7-rc-1, 15.5.2, or 14.10.15.
What is the impact of CVE-2023-50721?
CVE-2023-50721 allows for remote code execution through improper escaping in the search administration interface.
Which versions are affected by CVE-2023-50721?
CVE-2023-50721 affects XWiki versions between 4.5 and 14.10.15 as well as 15.0-rc-1 to 15.6-rc-1.
Is CVE-2023-50721 a known vulnerability?
Yes, CVE-2023-50721 is a known vulnerability that has been documented and recognized in the cybersecurity community.
- collector/github-advisory-latest
- alias/GHSA-7654-vfh6-rw6x
- alias/CVE-2023-50721
- collector/github-advisory
- agent/type
- agent/author
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/title
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- package-manager/maven
- vendor/xwiki
- canonical/xwiki
- version/xwiki/4.5
- version/xwiki/15.0
- version/xwiki/15.6
- version/xwiki/15.6-rc1
- version/xwiki/15.7-rc1