CVE-2023-37277

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.8 XWiki Platform versions prior to 15.2

Description The issue is related to insufficient authentication checks for executed requests in the XWiki Platform, allowing cross-site request forgery. This can lead to remote code execution through script macros when a user with programming rights interacts with the platform, impacting the integrity, availability, and confidentiality of the XWiki installation. For regular cookie-based authentication, the issue is mitigated by SameSite cookie restrictions, but these are not enabled by default in Firefox and Safari as of March 2023.

Recommendations For XWiki Platform versions prior to 14.10.8, update to version 14.10.8 or later to require a CSRF token header for certain request types susceptible to CSRF attacks. For XWiki Platform versions prior to 15.2, update to version 15.2 or later to require a CSRF token header for certain request types susceptible to CSRF attacks. As a temporary workaround, consider checking for the Origin header in a reverse proxy to protect the REST endpoint from CSRF attacks.