CVE-2023-45137

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 3.1-milestone-2 through 13.4-rc-1 org.xwiki.platform:xwiki-platform-web-templates versions prior to 14.10.12 and 15.5-rc-1

Description The issue arises when trying to create a document that already exists, and XWiki displays an error message in the form for creating it. Due to missing escaping, this error message is vulnerable to raw HTML injection and thus cross-site scripting (XSS). The injected code is the document reference of the existing document, requiring the attacker to first create a non-empty document whose name contains the attack code. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link, potentially leading to remote code execution and full read and write access to the whole XWiki installation.

Recommendations For XWiki Platform versions 3.1-milestone-2 through 13.4-rc-1, update to version 13.4-rc-1 or later. For org.xwiki.platform:xwiki-platform-web-templates versions prior to 14.10.12 and 15.5-rc-1, update to version 14.10.12 or 15.5-rc-1 or later. As a temporary workaround, consider manually applying the changes from the fix to the vulnerable template file createinline.vm.