CVE-2023-37462

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.4.8 XWiki Platform versions prior to 14.10.4 XWiki Platform versions prior to 15.0-rc-1

Description The issue is related to improper escaping in the document SkinsCode.XWikiSkinsSheet, which leads to an injection vector from view right on that document to programming rights. This allows remote code execution, including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. Approximately 847 results were found, indicating potentially affected devices worldwide.

Recommendations For versions prior to 14.4.8, upgrade to version 14.4.8 or later. For versions prior to 14.10.4, upgrade to version 14.10.4 or later. For versions prior to 15.0-rc-1, upgrade to version 15.0-rc-1 or later. As a temporary workaround, consider manually applying the fix commit d9c88ddc to the impacted document SkinsCode.XWikiSkinsSheet. To test if an existing installation is vulnerable, open the URL <xwiki-host>/xwiki/bin/view/%22%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=SkinsCode.XWikiSkinsSheet&xpage=view and check for the execution of the Groovy macro.