5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29513

GHSA ID

GHSA-fp36-mjw5-fmgx

EPSS Score

0.67078%

CWE

CWE-284

Published

4/20/2023

Updated

11/4/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-29513

CVE-2023-29513: xwiki-platform-web-templates allows users to be created even when registration is disabled without validation via template macro

Impact

If a guest has view rights on any document, it's possible to create a new user using the distribution/firstadminuser.wiki in the wrong context.

To reproduce:

On a wiki with view rights for guests but user registration disabled, open as guest <server>/xwiki/bin/view/Main?sheet=CKEditor.HTMLConverter&language=en&sourceSyntax=xwiki%2F2.1&stripHTMLEnvelope=true&fromHTML=false&toHTML=true&text=%7B%7Btemplate+name%3D%22distribution%2Ffirstadminuser.wiki%22+%2F%7D%7D where <server> is the URL of your XWiki installation.
Enter username and password of your choice.
Click "Register and login"

Patches

The vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.1.

Workarounds

There is no known workaround other than upgrading.

References

https://jira.xwiki.org/browse/XWIKI-19852 https://jira.xwiki.org/browse/XWIKI-20400

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-29513

GHSA ID

GHSA-fp36-mjw5-fmgx

EPSS Score

0.67078%

CWE

CWE-284

Published

4/20/2023

Updated

11/4/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-web-templates	maven	>= 8.0-rc-1, < 14.10.1	14.10.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the distribution/firstadminuser.wiki template being accessible in non-administrative contexts. This template's macro implementation did not include proper requirement checks (added in XWIKI-20400) to ensure: 1) execution context validity, 2) user registration system status, and 3) proper privileges. Attackers could directly invoke this template through URL parameters to bypass registration controls. The patch introduced template requirement declarations, confirming the absence of these safeguards was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t I* * *u*st **s vi*w ri**ts on *ny *o*um*nt, it's possi*l* to *r**t* * n*w us*r usin* t** `*istri*ution/*irst**minus*r.wiki` in t** wron* *ont*xt. To r*pro*u**: * On * wiki wit* vi*w ri**ts *or *u*sts *ut us*r r**istr*tion *is**l**, op*n

Reasoning

T** vuln*r**ility st*ms *rom t** *istri*ution/*irst**minus*r.wiki t*mpl*t* **in* ****ssi*l* in non-**ministr*tiv* *ont*xts. T*is t*mpl*t*'s m**ro impl*m*nt*tion *i* not in*lu** prop*r r*quir*m*nt ****ks (***** in XWIKI-*****) to *nsur*: *) *x**ution

5

Basic Information

Concerned about an active attack path?

CVE-2023-29513: xwiki-platform-web-templates allows users to be created even when registration is disabled without validation via template macro

Impact

Patches

Workarounds

References

For more information

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI