CVE-2023-45138
Published: 12 October 2023
Summary
CVE-2023-45138 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Xwiki Change Request. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Change Request is an XWiki application that lets users submit proposed edits without publishing them directly. Versions 0.11 through 1.9.1 contain a script-injection flaw that permits remote code execution when an attacker supplies a crafted title while creating a new change request. The issue stems from insufficient sanitization of the title field inside ChangeRequest.Code.ChangeRequestSheet, allowing arbitrary script execution with the privileges of the application.
Any unauthenticated or low-privileged user can trigger the vulnerability simply by creating a change request, achieving full remote code execution on the server because the application is explicitly designed to accept input from users without special rights. Successful exploitation yields complete confidentiality, integrity, and availability impact, reflected in the CVSS 10.0 score.
The project’s security advisory and the fix commit at 7565e720117f73102f5a276239eabfe85e15cff4 state that the vulnerability is resolved in Change Request 1.9.2. Administrators who cannot upgrade immediately can apply the same patch manually by editing the ChangeRequest.Code.ChangeRequestSheet document.
The current EPSS of 0.7843 matches the observed peak, indicating sustained exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2722
Vulnerability details
Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly. Starting in version 0.11 and prior to version 1.9.2, it's possible for a user without any specific right to perform script injection…
more
and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights. The vulnerability has been fixed in Change Request 1.9.2. It's possible to workaround the issue without upgrading by editing the document `ChangeRequest.Code.ChangeRequestSheet` and by performing the same change as in the fix commit.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.