10

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-45138

CVE-2023-45138: XWiki Change Request Application UI XSS and remote code execution through change request title

Impact

It's possible for a user without any specific right to perform script injection and remote code execution just by inserting an appropriate title when creating a new Change Request. This vulnerability is particularly critical as Change Request aims at being created by user without any particular rights.

Patches

The vulnerability has been fixed in Change Request 1.9.2.

Workarounds

It's possible to workaround the issue without upgrading by editing the document ChangeRequest.Code.ChangeRequestSheet and by performing the same change as in the commit: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4.

References

JIRA ticket: https://jira.xwiki.org/browse/CRAPP-298
Commit of the fix: https://github.com/xwiki-contrib/application-changerequest/commit/7565e720117f73102f5a276239eabfe85e15cff4

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Attribution

Thanks Michael Hamann for the report.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-45138

CVE-2023-45138:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.contrib.changerequest:application-changerequest-ui	maven	>= 0.11, < 1.9.2	1.9.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped rendering of user-controlled title input in the Change Request UI template. The commit diff shows the fix added $services.rendering.escape() to sanitize the title output. The original code's direct use of $doc.title in a label element (without escaping) allowed script injection. XWiki's template engine executes embedded Groovy code, enabling RCE when malicious content is rendered.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-45138: XWiki Change Request Application UI XSS and remote code execution through change request title

Impact

Patches

Workarounds

References

For more information

Attribution

CVE-2023-45138:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2023-45138: XWiki Change Request Application UI XSS and remote code execution through change request title

Impact

Patches

Workarounds

References

For more information

Attribution

Basic Information

Basic Information

Technical Details

10

10

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI