9.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-35150

CVE-2023-35150: XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation application

Impact

Any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. See the example below: Open <xwiki-host>/xwiki/bin/view/%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=Invitation.InvitationGuestActions&xpage=view where <xwiki-host> is the URL of your XWiki installation.

Patches

The problem as been patching on XWiki 15.0, 14.10.4 and 14.4.8.

Workarounds

It is possible to partially fix the issue by applying this patch. Note that some additional issue can remain and can be fixed automatically by a migration. Hence, it is advised to upgrade to one of the patched version instead of patching manually.

References

https://jira.xwiki.org/browse/XWIKI-20285

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-35150

CVE-2023-35150:

9.9

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-invitation-ui	maven	>= 2.4-m-2, < 14.4.8	14.4.8
org.xwiki.platform:xwiki-platform-invitation-ui	maven	>= 14.5, < 14.10.4	14.10.4
org.xwiki.platform:xwiki-platform-invitation-ui	maven	>= 15.0-rc-1, < 15.0	15.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper escaping of user-controlled input in Velocity templates used by the Invitation application. The patch specifically adds escaping using $services.rendering.escape() for parameters passed to localization messages and dynamically generated content. Files like InvitationGuestActions.xml and InvitationCommon.xml show direct modifications where unescaped parameters were previously inserted into executable code contexts. These unescaped parameters allowed attackers to inject Velocity/Groovy code via URL parameters, which would be executed with programming rights due to the document's sheet context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

9.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-35150: XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation application

Impact

Patches

Workarounds

References

For more information

CVE-2023-35150:

9.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

9.9

9.9

CVE-2023-35150: XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation application

Impact

Patches

Workarounds

References

For more information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI