cbcvebase.
CVE-2023-37462
published 2023-07-14

CVE-2023-37462: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document…

PriorityP183high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
91.35%
99.8th percentile
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable. See the linked GHSA for instructions on testing an installation. This issue has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1. Users are advised to upgrade. The fix commit `d9c88ddc` can also be applied manually to the impacted document `SkinsCode.XWikiSkinsSheet` and users unable to upgrade are advised to manually patch their installations.

Affected

4 ranges
VendorProductVersion rangeFixed in
xwikixwiki>= 14.5 < 14.10.414.10.4
xwikixwiki>= 7.0 < 14.4.814.4.8
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/bin/view/%22%5d%5d%20%7b%7b%61%73%79%6e%63%20%61%73%79%6e%63%3d%22%74%72%75%65%22%20%63%61%63%68%65%64%3d%22%66%61%6c%73%65%22%20%63%6f%6e%74%65%78%74%3d%22%64%6f%63%2e%72%65%66%65%72%65%6e%63%65%22%7d%7d%7b%7b%70%79%74%68%6f%6e%7d%7d%70%72%69%6e%74%28%33%37%32%34%33%34%38%20%2a%20%38%34%37%33%33%33%34%29%7b%7b%2f%70%79%74%68%6f%6e%7d%7d%7b%7b%2f%61%73%79%6e%63%7d%7d?sheet=SkinsCode.XWikiSkinsSheet&xpage=view
url{{BaseURL}}/asyncrenderer/{{url}}?clientId={{id}}&timeout=500&wiki=xwiki
path/bin/view/
  • The exploit targets the document `SkinsCode.XWikiSkinsSheet` via the `sheet` query parameter. Requests to `/bin/view/` with `sheet=SkinsCode.XWikiSkinsSheet` and a URL-encoded payload in the page name path should be flagged.
  • The attack uses a two-step async rendering flow: first request injects payload via `/bin/view/<crafted-name>?sheet=SkinsCode.XWikiSkinsSheet&xpage=view`, then polls `/asyncrenderer/<async-id>?clientId=<client-id>&timeout=500&wiki=xwiki`. Monitor for requests to `/asyncrenderer/` endpoint following suspicious `/bin/view/` requests.
  • The URL-decoded payload injected into the page name contains `]] {{async async="true" cached="false" context="doc.reference"}}{{python}}print(37243348 * 8473334){{/python}}{{/async}}`. Detect URL-encoded variants of `{{python}}` or `{{groovy}}` macros in XWiki URL paths.
  • Shodan/FOFA fingerprint for exposed XWiki instances: HTML attribute `data-xwiki-reference` in page body. Use this to identify internet-exposed targets.
  • Successful exploitation response contains the computed value `31557644536232` (product of 37243348 * 8473334) in the body with HTTP 200 and Content-Type text/html from the async renderer endpoint.
  • The fix commit `d9c88ddc` was applied to `SkinsCode.XWikiSkinsSheet`. Verify patched installations by checking the document revision for this commit hash.
  • ·The nuclei template uses a two-request chain with internal extractors to capture the async rendering IDs (`data-xwiki-async-id` and `data-xwiki-async-client-id`) from the first response before polling the async renderer. Detection logic must account for this multi-step flow.
  • ·Vulnerability requires only `view` right on the `SkinsCode.XWikiSkinsSheet` document (low-privilege authenticated user), not admin rights. Scope is limited to the affected XWiki instance (S:U in CVSS).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.