CVE-2023-37462
published 2023-07-14CVE-2023-37462: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document…
PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
91.35%
99.8th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable. See the linked GHSA for instructions on testing an installation. This issue has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1. Users are advised to upgrade. The fix commit `d9c88ddc` can also be applied manually to the impacted document `SkinsCode.XWikiSkinsSheet` and users unable to upgrade are advised to manually patch their installations.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | >= 14.5 < 14.10.4 | 14.10.4 |
| xwiki | xwiki | >= 7.0 < 14.4.8 | 14.4.8 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/bin/view/%22%5d%5d%20%7b%7b%61%73%79%6e%63%20%61%73%79%6e%63%3d%22%74%72%75%65%22%20%63%61%63%68%65%64%3d%22%66%61%6c%73%65%22%20%63%6f%6e%74%65%78%74%3d%22%64%6f%63%2e%72%65%66%65%72%65%6e%63%65%22%7d%7d%7b%7b%70%79%74%68%6f%6e%7d%7d%70%72%69%6e%74%28%33%37%32%34%33%34%38%20%2a%20%38%34%37%33%33%33%34%29%7b%7b%2f%70%79%74%68%6f%6e%7d%7d%7b%7b%2f%61%73%79%6e%63%7d%7d?sheet=SkinsCode.XWikiSkinsSheet&xpage=view↗
- →The exploit targets the document `SkinsCode.XWikiSkinsSheet` via the `sheet` query parameter. Requests to `/bin/view/` with `sheet=SkinsCode.XWikiSkinsSheet` and a URL-encoded payload in the page name path should be flagged. ↗
- →The attack uses a two-step async rendering flow: first request injects payload via `/bin/view/<crafted-name>?sheet=SkinsCode.XWikiSkinsSheet&xpage=view`, then polls `/asyncrenderer/<async-id>?clientId=<client-id>&timeout=500&wiki=xwiki`. Monitor for requests to `/asyncrenderer/` endpoint following suspicious `/bin/view/` requests. ↗
- →The URL-decoded payload injected into the page name contains `]] {{async async="true" cached="false" context="doc.reference"}}{{python}}print(37243348 * 8473334){{/python}}{{/async}}`. Detect URL-encoded variants of `{{python}}` or `{{groovy}}` macros in XWiki URL paths. ↗
- →Shodan/FOFA fingerprint for exposed XWiki instances: HTML attribute `data-xwiki-reference` in page body. Use this to identify internet-exposed targets. ↗
- →Successful exploitation response contains the computed value `31557644536232` (product of 37243348 * 8473334) in the body with HTTP 200 and Content-Type text/html from the async renderer endpoint. ↗
- →The fix commit `d9c88ddc` was applied to `SkinsCode.XWikiSkinsSheet`. Verify patched installations by checking the document revision for this commit hash. ↗
- ·The nuclei template uses a two-request chain with internal extractors to capture the async rendering IDs (`data-xwiki-async-id` and `data-xwiki-async-client-id`) from the first response before polling the async renderer. Detection logic must account for this multi-step flow. ↗
- ·Vulnerability requires only `view` right on the `SkinsCode.XWikiSkinsSheet` document (low-privilege authenticated user), not admin rights. Scope is limited to the affected XWiki instance (S:U in CVSS). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability
osv·2023-07-14
CVE-2023-37462 [CRITICAL] org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability
org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability
### Impact
Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents.
The attack works by opening a non-existing page with a name crafted to contain a dangerous payload.
It is possible to check if an existing installation is vulnerable by opening `/xwiki/bin/view/%22%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22
GHSA
org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability
ghsa·2023-07-14
CVE-2023-37462 [CRITICAL] CWE-74 org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability
org.xwiki.platform:xwiki-platform-skin-ui Eval Injection vulnerability
### Impact
Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents.
The attack works by opening a non-existing page with a name crafted to contain a dangerous payload.
It is possible to check if an existing installation is vulnerable by opening `/xwiki/bin/view/%22%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22
No detection rules found.
Nuclei
XWiki Platform - Remote Code Execution
nuclei·CVSS 8.8
CVE-2023-37462 [HIGH] XWiki Platform - Remote Code Execution
XWiki Platform - Remote Code Execution
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable
Template:
id: CVE-2023-37462
info:
name: XWiki Platform - Remote Code Execution
author: parthmalhotra,pdresearch
severity: high
descrip
https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjghttps://jira.xwiki.org/browse/XWIKI-20457https://github.com/xwiki/xwiki-platform/commit/d9c88ddc4c0c78fa534bd33237e95dea66003d29https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h4vp-69r8-gvjghttps://jira.xwiki.org/browse/XWIKI-20457
2023-07-14
Published