CVE-2023-32071
Published: 09 May 2023
Summary
CVE-2023-32071 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.0 (Critical).
Operationally, ranked in the top 2.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
XWiki Platform, a generic wiki platform, contains a cross-site scripting vulnerability that permits execution of JavaScript in the security context of any targeted user. The flaw affects all versions from 2.2-milestone-1 through 14.4.7, 14.10.3, and 15.0-milestone releases, and stems from insufficient output encoding when an attacker supplies a crafted URL that references a page containing an attachment.
An authenticated attacker who can create or modify content can craft a URL that, when visited by a victim user, causes the victim's browser to execute attacker-controlled JavaScript under that user's privileges. Successful exploitation can therefore result in full compromise of the victim's account within the wiki, including the ability to read or alter arbitrary content and perform actions on the victim's behalf.
Official patches are available in XWiki 15.0-rc-1, 14.10.4, and 14.14.8. The project advisory and associated commit describe a one-line change to templates/importinline.vm that sanitizes the relevant input; the same modification is provided as the recommended workaround for instances that cannot be upgraded immediately.
EPSS scores for this CVE reached a peak of 0.5748 before receding to the current value of 0.3378, indicating transient but notable post-disclosure interest. No confirmed in-the-wild exploitation campaigns have been reported in the referenced sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-1567
Vulnerability details
XWiki Platform is a generic wiki platform. Starting in versions 2.2-milestone-1 and prior to versions 14.4.8, 14.10.4, and 15.0-rc-1, it's possible to execute javascript with the right of any user by leading him to a special URL on the wiki…
more
targeting a page which contains an attachment. This has been patched in XWiki 15.0-rc-1, 14.10.4, and 14.4.8. The easiest possible workaround is to edit file `<xwiki app>/templates/importinline.vm` and apply the modification described in commit 28905f7f518cc6f21ea61fe37e9e1ed97ef36f01.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.