10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-50721

GHSA ID

GHSA-7654-vfh6-rw6x

EPSS Score

0.97423%

CWE

CWE-94

Published

12/16/2023

Updated

12/16/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-50721

CVE-2023-50721: Remote code execution from account through SearchAdmin

Impact

The search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user.

To reproduce, edit any document with the object editor, add an object of type XWiki.UIExtensionClass, set "Extension Point Id" to org.xwiki.platform.search, set "Extension ID" to {{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from extension id succeeded!"){{/groovy}}{{/async}}, set "Extension Parameters" to label={{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from label succeeded!"){{/groovy}}{{/async}} and "Extension Scope" to "Current User". Then open the page XWiki.SearchAdmin, e.g., on http://localhost:8080/xwiki/bin/view/XWiki/SearchAdmin. If there are error log messages in XWiki's log that announce that attacks succeeded, the instance is vulnerable.

Patches

The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1.

Workarounds

The patch can be manually applied to the page XWiki.SearchAdmin.

References

https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766
https://jira.xwiki.org/browse/XWIKI-21200

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-50721

CVE-2023-50721:

10

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-50721

GHSA ID

GHSA-7654-vfh6-rw6x

EPSS Score

0.97423%

CWE

CWE-94

Published

12/16/2023

Updated

12/16/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 4.5-rc-1, < 14.10.15	14.10.15
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 15.0-rc-1, < 15.5.2	15.5.2
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 15.6-rc-1, < 15.7-rc-1	15.7-rc-1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing escaping in the SearchAdmin interface template (SearchAdmin.xml). The commit diff shows critical additions of $escapetool.xml() and services.rendering.escape() calls to parameters that were previously rendered raw. The reproduction steps demonstrate that unescaped user-controlled values from XWiki.UIExtensionClass objects (id and label) were being interpreted as XWiki syntax, enabling script macro execution. The vulnerable code paths are the template interpolations that process these extension properties without sanitization, particularly in HTML attribute contexts and macro references.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

10

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-50721: Remote code execution from account through SearchAdmin

Impact

Patches

Workarounds

References

CVE-2023-50721:

10

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

10

10

Technical Details

Basic Information

Basic Information

CVE-2023-50721: Remote code execution from account through SearchAdmin

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI