cbcvebase.
CVE-2023-48241
published 2023-11-20

CVE-2023-48241: XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 14.10.15, 15.5.1, and 15.6RC1, the Solr-based search…

PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
72.82%
99.4th percentile
XWiki Platform is a generic wiki platform. Starting in version 6.3-milestone-2 and prior to versions 14.10.15, 15.5.1, and 15.6RC1, the Solr-based search suggestion provider that also duplicates as generic JavaScript API for search results in XWiki exposes the content of all documents of all wikis to anybody who has access to it, by default it is public. This exposes all information stored in the wiki (but not some protected information like password hashes). While there is a right check normally, the right check can be circumvented by explicitly requesting fields from Solr that don't include the data for the right check. This has been fixed in XWiki 15.6RC1, 15.5.1 and 14.10.15 by not listing documents whose rights cannot be checked. No known workarounds are available.

Affected

5 ranges
VendorProductVersion rangeFixed in
xwikixwiki
xwikixwiki>= 15.0 < 15.5.115.5.1
xwikixwiki>= 6.4 < 14.10.514.10.5
xwikixwiki-platform
xwikixwiki-platform

Detection & IOCsextracted from sources · hover to see the quote

url/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+reference%2C+links%2C+doccontentraw_%2C+objcontent__&input=+
url/xwiki/bin/get/XWiki/SuggestSolrService?outputSyntax=plain&media=json&nb=1000&query=q%3D*%3A*%0Aq.op%3DAND%0Afq%3Dtype%3ADOCUMENT%0Afl%3Dtitle_%2C+reference%2C+links%2C+doccontentraw_%2C+objcontent__&input=+
path/bin/get/XWiki/SuggestSolrService
  • Response body contains '{"reference":' or 'title_":' indicating vulnerable Solr field exposure
  • Response body contains 'services.localization.render', Content-Type header is 'application/json', and HTTP status is 200 — all three must be true to confirm exploitation
  • Shodan fingerprint for XWiki instances: search for HTML attribute 'data-xwiki-reference'
  • FOFA fingerprint for XWiki instances: search for body containing 'data-xwiki-reference'
  • The right-check bypass is achieved by explicitly requesting Solr fields (fl=) that exclude the data needed for the right check — monitor for Solr field list parameters omitting rights-related fields
  • ·The vulnerable endpoint is publicly accessible by default (no authentication required), making unauthenticated exploitation trivial
  • ·Exploitation exposes all wiki content except certain protected fields such as password hashes
  • ·No known workarounds exist; patching to XWiki 14.10.15, 15.5.1, or 15.6RC1 is the only remediation
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.