CVE-2023-46731

Name of the Vulnerable Software and Affected Versions XWiki Platform versions prior to 14.10.14 XWiki Platform versions prior to 15.5.1 XWiki Platform versions prior to 15.6 RC1

Description The issue is related to incorrect management of code generation in the XWiki Platform, allowing any user with read access to the document XWiki.AdminSheet to execute code, including Groovy code. This impacts the confidentiality, integrity, and availability of the whole XWiki instance. The vulnerability can be exploited by manipulating the section URL parameter. For example, an attacker can use the API endpoint "/xwiki/bin/get/Main/WebHome?sheet=XWiki.AdminSheet&viewer=content&section=%5D%5D%7B%7B%2Fhtml%7D%7D%7B%7Basync%7D%7D%7B%7Bgroovy%7D%7Dservices.logging.getLogger(%22attacker%22).error(%22Attack%20succeeded!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&xpage=view" to test if an XWiki installation is vulnerable. If the attack is successful, it can cause a log message "ERROR attacker - Attack succeeded!" to appear in XWiki's log.

Recommendations To resolve the issue for versions prior to 14.10.14, upgrade to version 14.10.14 or later. To resolve the issue for versions prior to 15.5.1, upgrade to version 15.5.1 or later. To resolve the issue for versions prior to 15.6 RC1, upgrade to version 15.6 RC1 or later. As a temporary workaround, consider removing view rights for guests from the document XWiki.AdminSheet to protect against attacks from unauthenticated users. Alternatively, users unable to upgrade can apply the fix in commit fec8e0e53f9 manually by replacing the vulnerable code in the document XWiki.AdminSheet.