CVE-2023-37912
Published: 25 October 2023
Summary
CVE-2023-37912 is a critical-severity Privilege Context Switching Error (CWE-270) vulnerability in Xwiki Xwiki-Rendering. Its CVSS base score is 9.9 (Critical).
Operationally, ranked in the top 6.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
XWiki Rendering, the component responsible for converting textual syntax in the XWiki platform, contains a context-handling flaw in its footnote macro. Affected packages are org.xwiki.platform:xwiki-core-rendering-macro-footnotes and org.xwiki.platform:xwiki-rendering-macro-footnotes prior to 14.10.6, and org.xwiki.platform:xwiki-rendering-macro-footnotes prior to 15.1-rc-1. The macro renders its content in a context that may differ from the page where it was defined, enabling privilege escalation when combined with the include macro.
An authenticated user with only basic edit rights can embed a footnote macro that includes attacker-controlled content, thereby obtaining programming rights. Successful exploitation yields remote code execution on the XWiki server, with full impact on the confidentiality, integrity, and availability of the installation. The vulnerability carries a CVSS 3.1 score of 9.9.
The GitHub Security Advisory and XWiki Jira entry state that the issue is resolved in the listed releases and that no workaround exists other than upgrading the footnote macro. The associated EPSS score has remained flat at 0.0989 since disclosure, indicating no material increase in observed exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2625
Vulnerability details
XWiki Rendering is a generic Rendering system that converts textual input in a given syntax into another syntax. Prior to version 14.10.6 of `org.xwiki.platform:xwiki-core-rendering-macro-footnotes` and `org.xwiki.platform:xwiki-rendering-macro-footnotes` and prior to version 15.1-rc-1 of `org.xwiki.platform:xwiki-rendering-macro-footnotes`, the footnote macro executed its content in…
more
a potentially different context than the one in which it was defined. In particular in combination with the include macro, this allows privilege escalation from a simple user account in XWiki to programming rights and thus remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki installation. This vulnerability has been patched in XWiki 14.10.6 and 15.1-rc-1. There is no workaround apart from upgrading to a fixed version of the footnote macro.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.