Miggo Logo

CVE-2023-45136: XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled

9.7

CVSS Score
3.1

Basic Information

EPSS Score
0.98155%
Published
10/25/2023
Updated
11/3/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.xwiki.platform:xwiki-platform-web-templatesmaven>= 12.0-rc-1, < 14.10.1214.10.12
org.xwiki.platform:xwiki-platform-web-templatesmaven>= 15.0-rc-1, < 15.5-rc-115.5-rc-1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unescaped Velocity template outputs in createinline.vm. The commit diff shows that the fix involved adding $escapetool.xml() wrappers around $services.localization.render() calls for two error messages. This indicates the original code lacked proper output encoding for the templateProvider and allowedSpaces values, which are derived from user-controlled document names. The test cases added in CreateInlinePageTest.java demonstrate that HTML payloads in these parameters were rendered unescaped, confirming the XSS vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n *o*um*nt n*m*s *r* v*li**t** ***or*in* to * n*m* str*t**y (*is**l** *y ****ult), XWiki is vuln*r**l* to * r**l**t** XSS *tt**k in t** p*** *r**tion *orm. To r*pro*u**, m*k* sur* t**t "V*li**t* n*m*s ***or* s*vin*" is *n**l** in t** **

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** V*lo*ity t*mpl*t* outputs in `*r**t*inlin*.vm`. T** *ommit *i** s*ows t**t t** *ix involv** ***in* `$*s**p*tool.xml()` wr*pp*rs *roun* `$s*rvi**s.lo**liz*tion.r*n**r()` **lls *or two *rror m*ss***s. T*is in*i**t