CVE-2023-37462
Published: 14 July 2023
Summary
CVE-2023-37462 is a critical-severity Injection (CWE-74) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 0.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Platform contains an improper escaping flaw in the document SkinsCode.XWikiSkinsSheet that converts view-level access on that page into programming rights. The affected component allows execution of arbitrary script macros, including Groovy and Python, which in turn grant unrestricted read and write access to all wiki contents. The vulnerability is tracked as CVE-2023-37462 with a CVSS score of 9.9 and is associated with CWE-74 and CWE-95.
An attacker who can view the vulnerable document can exploit it simply by requesting a non-existent page whose name contains a crafted payload. Successful exploitation yields remote code execution on the underlying server and full control over the wiki instance. No authentication beyond view rights is required, and the attack does not rely on user interaction.
Official advisories and the linked GitHub Security Advisory recommend upgrading to XWiki 14.4.8, 14.10.4, or 15.0-rc-1. The corrective change is contained in commit d9c88ddc; administrators unable to upgrade can apply the same patch directly to the SkinsCode.XWikiSkinsSheet document. The advisory also provides steps to test whether a given installation remains vulnerable.
The EPSS score for this issue currently stands at 0.9026 with a recorded peak of 0.9145, indicating sustained and substantial exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2070
Vulnerability details
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to an injection vector from view right on that document to programming rights, or in other…
more
words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable. See the linked GHSA for instructions on testing an installation. This issue has been patched in XWiki 14.4.8, 14.10.4 and 15.0-rc-1. Users are advised to upgrade. The fix commit `d9c88ddc` can also be applied manually to the impacted document `SkinsCode.XWikiSkinsSheet` and users unable to upgrade are advised to manually patch their installations.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.