8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37909

GHSA ID

GHSA-v2rr-xw95-wcjx

EPSS Score

0.92862%

CWE

CWE-94

Published

10/25/2023

Updated

11/10/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-37909

CVE-2023-37909:
Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet

Impact

Any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This can be reproduced with the following steps:

As an advanced user, use the object editor to add an object of type UIExtensionClass to your user profile. Set the value "Extension Point ID" to {{/html}}{{async async=false cache=false}}{{groovy}}println("Hello from Groovy!"){{/groovy}}{{/async}}
Open <xwiki-host>/xwiki/bin/edit/XWiki/<username>?sheet=Menu.UIExtensionSheet where <xwiki-host> is the URL of your XWiki installation and <username> is your user name.

If the text Hello from Groovy!" selected="selected"> is displayed in the output, the attack succeeded.

Patches

This has been patched in XWiki 14.10.8 and 15.3 RC1 by adding proper escaping.

Workarounds

The patch can be manually applied to the document Menu.UIExtensionSheet, only three lines need to be changed.

References

https://jira.xwiki.org/browse/XWIKI-20746
https://github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773be

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-37909

GHSA ID

GHSA-v2rr-xw95-wcjx

EPSS Score

0.92862%

CWE

CWE-94

Published

10/25/2023

Updated

11/10/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-menu	maven	>= 5.1-rc-1, < 14.10.8	14.10.8
org.xwiki.platform:xwiki-platform-menu-ui	maven	>= 5.1-rc-1, < 14.10.8	14.10.8
org.xwiki.platform:xwiki-platform-menu-ui	maven	>= 15.0-rc-1, < 15.3-rc-1	15.3-rc-1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing output escaping in the Menu.UIExtensionSheet document's Velocity template. The commit diff shows three critical changes adding $escapetool.xml() escaping:

Around localization render calls for extension point titles
Around the extensionPointId value in option tags

Without this escaping, user-controlled input (like Groovy/Python macros in extensionPointId) would be rendered as raw HTML/script content. This matches the attack pattern described where {{/html}} closing tags and macro syntax could break out of HTML context to execute scripts. The vulnerability manifests in template rendering functions that handle UI extension configuration display, making the Velocity template code responsible for outputting these values the clear vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ny us*r w*o **n **it t**ir own us*r pro*il* **n *x**ut* *r*itr*ry s*ript m**ros in*lu*in* *roovy *n* Pyt*on m**ros t**t *llow r*mot* *o** *x**ution in*lu*in* unr*stri*t** r*** *n* writ* ****ss to *ll wiki *ont*nts. T*is **n ** r*pro*u***

Reasoning

T** vuln*r**ility st*ms *rom missin* output *s**pin* in t** M*nu.UI*xt*nsionS***t *o*um*nt's V*lo*ity t*mpl*t*. T** *ommit *i** s*ows t*r** *riti**l ***n**s ***in* $*s**p*tool.xml() *s**pin*: *. *roun* lo**liz*tion r*n**r **lls *or *xt*nsion point ti

8.8

Basic Information

Concerned about an active attack path?

CVE-2023-37909: Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet

Impact

Patches

Workarounds

References

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-37909:
Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet

Vulnerability Intelligence
Miggo AI