CVE-2023-27479
Published: 07 March 2023
Summary
CVE-2023-27479 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform, a generic wiki platform, contains an injection vulnerability (CWE-74) caused by improper escaping of UIX parameters. Any authenticated user with view rights can supply crafted Extension Parameters content that embeds executable Groovy, Python, or Velocity scripts, resulting in arbitrary code execution with full access to the XWiki installation.
An attacker logs in, adds an XWiki.UIExtensionClass xobject containing the malicious payload to their user profile page, then visits a page such as PanelsCode.ApplicationsPanelConfigurationSheet to trigger script execution. The attack requires only view rights, needs no user interaction, and yields complete compromise of the affected instance.
Official advisories and the referenced commits state that the issue is fixed in XWiki 13.10.11, 14.4.7, and 14.10-rc-1. Administrators unable to upgrade can apply the same parameter-escaping changes shown in commit 6de5442f3c to the ApplicationsPanelConfigurationSheet page.
The EPSS score remains flat at 0.1486 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1089
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to…
more
the XWiki installation. The root cause is improper escaping of UIX parameters. A proof of concept exploit is to log in, add an `XWiki.UIExtensionClass` xobject to the user profile page, with an Extension Parameters content containing `label={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}}`. Then, navigating to `PanelsCode.ApplicationsPanelConfigurationSheet` (i.e., `<xwiki-host>/xwiki/bin/view/PanelsCode/ApplicationsPanelConfigurationSheet` where `<xwiki-host>` is the URL of your XWiki installation) should not execute the Groovy script. If it does, you will see `Hello from groovy!` displayed on the screen. This vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. Users are advised to upgrade. For users unable to upgrade the issue can be fixed by editing the `PanelsCode.ApplicationsPanelConfigurationSheet` wiki page and making the same modifications as shown in commit `6de5442f3c`.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.