CVE-2023-45135

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 7.2-milestone-2 through 14.10.12 org.xwiki.platform:xwiki-platform-web-templates versions prior to 14.10.12 and 15.5-rc-1

Description The issue allows an attacker to pass a title to the page creation action that isn't displayed at first but then executed in the second step. This can be used by an attacker to trick a victim into executing code, allowing script execution if the victim has script right or remote code execution including full access to the XWiki instance if the victim has programming right. The attack involves convincing the victim to visit a link like /xwiki/bin/create/NonExistingSpace/WebHome?title=$services.logging.getLogger("foo").error("Script executed!") where is the URL of the Wiki installation and to then click on the "Create" button on that page. The page looks like a regular XWiki page, and the malicious code is not displayed anywhere on that page. After clicking the "Create" button, the malicious title would be displayed, but at this point, the code has already been executed.

Recommendations For versions 7.2-milestone-2 through 14.10.12, update to version 14.10.12 or later. For org.xwiki.platform:xwiki-platform-web-templates versions prior to 14.10.12 and 15.5-rc-1, update to version 14.10.12 or 15.5-rc-1 or later. As a temporary workaround, consider manually patching the modified files from the patch in an existing installation. For the JavaScript change, the minified JavaScript file would need to be obtained from a build of XWiki and replaced accordingly.