CVE-2023-48241
published 2023-11-20CVE-2023-48241: XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 14.10.15, 15.5.1, and 15.6RC1, the Solr-based search…
PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
72.82%
99.4th percentile
XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 14.10.15, 15.5.1, and 15.6RC1, the Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This has been fixed in XWiki 15.6RC1, 15.5.1 and 14.10.15 by not listing documents whose rights cannot be checked. No known workarounds are available.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| xwiki | xwiki | — | — |
| xwiki | xwiki | >= 15.0 < 15.5.1 | 15.5.1 |
| xwiki | xwiki | >= 6.4 < 14.10.5 | 14.10.5 |
| xwiki | xwiki-platform | — | — |
| xwiki | xwiki-platform | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+reference%2C+links%2C+doccontentraw_%2C+objcontent__&input=+↗
url/xwiki/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+reference%2C+links%2C+doccontentraw_%2C+objcontent__&input=+↗
- →Response body contains '{"reference":' or 'title_":' indicating vulnerable Solr field exposure ↗
- →Response body contains 'services.localization.render', Content-Type header is 'application/json', and HTTP status is 200 — all three must be true to confirm exploitation ↗
- →Shodan fingerprint for XWiki instances: search for HTML attribute 'data-xwiki-reference' ↗
- →FOFA fingerprint for XWiki instances: search for body containing 'data-xwiki-reference' ↗
- →The right-check bypass is achieved by explicitly requesting Solr fields (fl=) that exclude the data needed for the right check — monitor for Solr field list parameters omitting rights-related fields ↗
- ·The vulnerable endpoint is publicly accessible by default (no authentication required), making unauthenticated exploitation trivial ↗
- ·Exploitation exposes all wiki content except certain protected fields such as password hashes ↗
- ·No known workarounds exist; patching to XWiki 14.10.15, 15.5.1, or 15.6RC1 is the only remediation ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Whole content of all documents of all wikis exposed to anybody with view right on Solr suggest service
ghsa·2023-11-20
CVE-2023-48241 [HIGH] CWE-285 Whole content of all documents of all wikis exposed to anybody with view right on Solr suggest service
Whole content of all documents of all wikis exposed to anybody with view right on Solr suggest service
### Impact
The Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This can be reproduced by opening `/xwiki/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+refer
OSV
Whole content of all documents of all wikis exposed to anybody with view right on Solr suggest service
osv·2023-11-20
CVE-2023-48241 [HIGH] Whole content of all documents of all wikis exposed to anybody with view right on Solr suggest service
Whole content of all documents of all wikis exposed to anybody with view right on Solr suggest service
### Impact
The Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This can be reproduced by opening `/xwiki/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+refer
No detection rules found.
Nuclei
XWiki < 4.10.15 - Information Disclosure
nuclei·CVSS 7.5
CVE-2023-48241 [HIGH] XWiki < 4.10.15 - Information Disclosure
XWiki /xwiki/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+reference%2C+links%2C+doccontentraw_%2C+objcontent__&input=+ where is the URL of the XWiki installation. If this displays any results, the wiki is vulnerable.
Template:
id: CVE-2023-48241
info:
name: XWiki /xwiki/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+reference%2C+links%2C+doccontentraw_%2C+objcontent__&input=+ where is the URL of the XWiki installation. If this displays any results, the wiki is vulnerable.
impact: |
Successful exploitation could lead to disclosure of content of all documents of all wikis.
remediation: |
This has been fi
https://github.com/xwiki/xwiki-platform/commit/93b8ec702d7075f0f5794bb05dfb651382596764https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7fqr-97j7-jgf4https://jira.xwiki.org/browse/XWIKI-21138https://github.com/xwiki/xwiki-platform/commit/93b8ec702d7075f0f5794bb05dfb651382596764https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-7fqr-97j7-jgf4https://jira.xwiki.org/browse/XWIKI-21138
2023-11-20
Published