9.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-45136

GHSA ID

GHSA-qcj9-gcpg-4w2w

EPSS Score

0.98155%

CWE

CWE-79

Published

10/25/2023

Updated

11/3/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-45136

CVE-2023-45136: XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled

Impact

When document names are validated according to a name strategy (disabled by default), XWiki is vulnerable to a reflected XSS attack in the page creation form. To reproduce, make sure that "Validate names before saving" is enabled in the administration under "Editing" -> "Name strategies" and then open <xwiki-host>/xwiki/bin/create/Main/%3Cscript%3Ealert%28%27Test%20Test%20Test%20Test%20Test%27%29%3C%2Fscript%3E where <xwiki-host> is the URL of your XWiki installation. This displays an alert if the installation is vulnerable. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link. Depending on the rights of the user, this may allow remote code execution and full read and write access to the whole XWiki installation.

Patches

This has been patched in XWiki 14.10.12 and 15.5-RC-1 by adding appropriate escaping.

Workarounds

The vulnerable template file createinline.vm is part of XWiki's WAR and can be patched by manually applying the changes from the fix.

(GitHub Advisory)

9.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-45136

GHSA ID

GHSA-qcj9-gcpg-4w2w

EPSS Score

0.98155%

CWE

CWE-79

Published

10/25/2023

Updated

11/3/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-web-templates	maven	>= 12.0-rc-1, < 14.10.12	14.10.12
org.xwiki.platform:xwiki-platform-web-templates	maven	>= 15.0-rc-1, < 15.5-rc-1	15.5-rc-1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped Velocity template outputs in createinline.vm. The commit diff shows that the fix involved adding $escapetool.xml() wrappers around $services.localization.render() calls for two error messages. This indicates the original code lacked proper output encoding for the templateProvider and allowedSpaces values, which are derived from user-controlled document names. The test cases added in CreateInlinePageTest.java demonstrate that HTML payloads in these parameters were rendered unescaped, confirming the XSS vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n *o*um*nt n*m*s *r* v*li**t** ***or*in* to * n*m* str*t**y (*is**l** *y ****ult), XWiki is vuln*r**l* to * r**l**t** XSS *tt**k in t** p*** *r**tion *orm. To r*pro*u**, m*k* sur* t**t "V*li**t* n*m*s ***or* s*vin*" is *n**l** in t** **

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** V*lo*ity t*mpl*t* outputs in `*r**t*inlin*.vm`. T** *ommit *i** s*ows t**t t** *ix involv** ***in* `$*s**p*tool.xml()` wr*pp*rs *roun* `$s*rvi**s.lo**liz*tion.r*n**r()` **lls *or two *rror m*ss***s. T*is in*i**t

9.7

Basic Information

Concerned about an active attack path?

CVE-2023-45136: XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled

Impact

Patches

Workarounds

9.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI