10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-50721

GHSA ID

GHSA-7654-vfh6-rw6x

EPSS Score

0.97423%

CWE

CWE-94

Published

12/16/2023

Updated

12/16/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-50721

CVE-2023-50721: Remote code execution from account through SearchAdmin

Impact

The search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user.

To reproduce, edit any document with the object editor, add an object of type XWiki.UIExtensionClass, set "Extension Point Id" to org.xwiki.platform.search, set "Extension ID" to {{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from extension id succeeded!"){{/groovy}}{{/async}}, set "Extension Parameters" to label={{async}}{{groovy}}services.logging.getLogger("attacker").error("Attack from label succeeded!"){{/groovy}}{{/async}} and "Extension Scope" to "Current User". Then open the page XWiki.SearchAdmin, e.g., on http://localhost:8080/xwiki/bin/view/XWiki/SearchAdmin. If there are error log messages in XWiki's log that announce that attacks succeeded, the instance is vulnerable.

Patches

The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1.

Workarounds

The patch can be manually applied to the page XWiki.SearchAdmin.

References

https://github.com/xwiki/xwiki-platform/commit/62863736d78ffd60d822279c5fb7fb9593042766
https://jira.xwiki.org/browse/XWIKI-21200

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-50721

GHSA ID

GHSA-7654-vfh6-rw6x

EPSS Score

0.97423%

CWE

CWE-94

Published

12/16/2023

Updated

12/16/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 4.5-rc-1, < 14.10.15	14.10.15
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 15.0-rc-1, < 15.5.2	15.5.2
org.xwiki.platform:xwiki-platform-search-ui	maven	>= 15.6-rc-1, < 15.7-rc-1	15.7-rc-1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing escaping in the SearchAdmin interface template (SearchAdmin.xml). The commit diff shows critical additions of $escapetool.xml() and services.rendering.escape() calls to parameters that were previously rendered raw. The reproduction steps demonstrate that unescaped user-controlled values from XWiki.UIExtensionClass objects (id and label) were being interpreted as XWiki syntax, enabling script macro execution. The vulnerable code paths are the template interpolations that process these extension properties without sanitization, particularly in HTML attribute contexts and macro references.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** s**r** **ministr*tion int*r**** *o*sn't prop*rly *s**p* t** i* *n* l***l o* s**r** us*r int*r**** *xt*nsions, *llowin* t** inj**tion o* XWiki synt*x *ont*inin* s*ript m**ros in*lu*in* *roovy m**ros t**t *llow r*mot* *o** *x**ution, imp

Reasoning

T** vuln*r**ility st*ms *rom missin* *s**pin* in t** S**r****min int*r**** t*mpl*t* (S**r****min.xml). T** *ommit *i** s*ows *riti**l ***itions o* $*s**p*tool.xml() *n* s*rvi**s.r*n**rin*.*s**p*() **lls to p*r*m*t*rs t**t w*r* pr*viously r*n**r** r*w

10

Basic Information

Concerned about an active attack path?

CVE-2023-50721: Remote code execution from account through SearchAdmin

Impact

Patches

Workarounds

References

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI