CVE-2023-48240

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 11.10.1 through 14.10.14 XWiki Platform versions 15.0.0 through 15.5.0 XWiki Platform version 15.6.0

Description The issue is related to insufficient validation of incoming requests in the XWiki Platform, allowing a remote attacker to gain unauthorized access to cookies. This can be exploited to steal login and session cookies, enabling the impersonation of the current user viewing the diff. The attack can be triggered with an image referencing the rendered diff. Apart from stealing login cookies, this also allows server-side request forgery and viewing protected content. The cache will be filled by the first user who is allowed to access the resource.

Recommendations For XWiki Platform versions 11.10.1 through 14.10.14, update to version 14.10.15 or later. For XWiki Platform versions 15.0.0 through 15.5.0, update to version 15.5.1 or later. For XWiki Platform version 15.6.0, update to a later version. As a temporary workaround, consider disabling the image embedding feature by deleting xwiki-platform-diff-xml-<version>.jar in WEB-INF/lib/.