CVE-2023-29515
Published: 19 April 2023
Summary
CVE-2023-29515 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 7.7 (High).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform contains a privilege escalation flaw in its App Within Minutes application that lets any user able to create a space obtain administrative rights over that space. The resulting admin rights automatically confer script rights, enabling stored JavaScript injection (CWE-79). The issue affects all deployments exposing the App Within Minutes wizard, including cases where the UI button is hidden; an attacker can still reach the vulnerable endpoint directly via /xwiki/bin/view/AppWithinMinutes/CreateApplication?wizard=true.
An authenticated user with minimal space-creation privileges can exploit the flaw simply by completing the App Within Minutes wizard. Successful exploitation grants space-level administration, allowing arbitrary script execution that can alter page content, exfiltrate data, or perform actions on behalf of other users within the affected space. The CVSS 7.7 rating reflects the network-accessible attack vector, low complexity, and changed scope that results from the granted script rights.
Official advisories and the accompanying patches in XWiki 13.10.11, 14.4.8, 14.10.1, and 15.0 RC1 prevent the automatic assignment of space admin rights when the creating user lacks script rights on the target space, while displaying an error to the user. Administrators are advised to upgrade and to audit existing space admin assignments for any users who previously created App Within Minutes applications, as those rights are not revoked by the fix. No workarounds are documented. The associated EPSS score has remained flat at 0.0657 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1179
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can create a space can become admin of that space through App Within Minutes. The admin right implies the script…
more
right and thus allows JavaScript injection. The vulnerability can be exploited by creating an app in App Within Minutes. If the button should be disabled because the user doesn't have global edit right, the app can also be created by directly opening `/xwiki/bin/view/AppWithinMinutes/CreateApplication?wizard=true` on the XWiki installation. This has been patched in XWiki 13.10.11, 14.4.8, 14.10.1 and 15.0 RC1 by not granting the space admin right if the user doesn't have script right on the space where the app is created. Error message are displayed to warn the user that the app will be broken in this case. Users who became space admin through this vulnerability won't loose the space admin right due to the fix, so it is advised to check if all users who created AWM apps should keep their space admin rights. Users are advised to upgrade. There are no known workarounds for this vulnerability.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.