CVE-2023-40572

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.9 XWiki Platform versions prior to 15.4RC1

Description The create action in XWiki Platform is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right. This compromises the confidentiality, integrity, and availability of the whole XWiki installation. When a user with script right views a malicious image and a log message ERROR foo - Script executed! appears in the log, the XWiki installation is vulnerable. The issue can be exploited by adding the XWiki syntax [[image:path:/xwiki/bin/create/Foo/WebHome?template=&parent=Main.WebHome&title=$services.logging.getLogger("foo").error("Script executed!")]] to any place that supports XWiki syntax.

Recommendations For XWiki Platform versions prior to 14.10.9, update to version 14.10.9 or later to patch the vulnerability by requiring a CSRF token for the actual page creation. For XWiki Platform versions prior to 15.4RC1, update to version 15.4RC1 or later to patch the vulnerability by requiring a CSRF token for the actual page creation. As a temporary workaround, consider restricting access to the create action to minimize the risk of exploitation.