CVE-2023-37277 Information
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts text/plain multipart/form-data or application/www-form-urlencoded as content types which can be sent via regular HTML forms thus allowing cross-site request forgery. With the interaction of a user with programming rights this allows remote code execution through script macros and thus impacts the integrity availability and confidentiality of the whole XWiki installation. For regular cookie-based authentication the vulnerability is mitigated by SameSite cookie restrictions but as of March 2023 these are not enabled by default in Firefox and Safari. The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a CSRF token header for certain request types that are susceptible to CSRF attacks.
Reference
https://jira.xwiki.org/browse/XWIKI-20135
https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6xxr-648m-gch6
XWiki
Platform
is
a
generic
wiki
platform
offering
runtime
services
for
applications
built
on
top
of
it.
The
REST
API
allows
executing
all
actions
via
POST
requests
and
accepts
text/plain
multipart/form-data
or
application/www-form-urlencoded
as
content
types
which
can
be
sent
via
regular
HTML
forms
thus
allowing
cross-site
request
forgery.
With
the
interaction
of
a
user
with
programming
rights
this
allows
remote
code
execution
through
script
macros
and
thus
impacts
the
integrity
availability
and
confidentiality
of
the
whole
XWiki
installation.
For
regular
cookie-based
authentication
the
vulnerability
is
mitigated
by
SameSite
cookie
restrictions
but
as
of
March
2023
these
are
not
enabled
by
default
in
Firefox
and
Safari.
The
vulnerability
has
been
patched
in
XWiki
14.10.8
and
15.2
by
requiring
a
CSRF
token
header
for
certain
request
types
that
are
susceptible
to
CSRF
attacks.