CVE-2023-35166
CVE-2023-35166
9.9
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Modified
Weakness (CWE)
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- Low
- User Interaction
- None
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to execute any wiki content with the right of the TipsPanel author by creating a tip UI extension. This has been patched in XWiki 15.1-rc-1 and 14.10.5.
Comprehensive Technical Analysis of CVE-2023-35166 (XWiki Platform Remote Code Execution Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2023-35166 CVSS Score: 9.9 (Critical) – CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Vector Breakdown:
- Attack Vector (AV:N): Network-exploitable (remote attack surface).
- Attack Complexity (AC:L): Low – Exploitation requires minimal effort.
- Privileges Required (PR:L): Low – Attacker needs low-privilege access (e.g., authenticated user).
- User Interaction (UI:N): None – Exploitation does not require victim interaction.
- Scope (S:C): Changed – Impact extends beyond the vulnerable component (privilege escalation).
- Confidentiality (C:H), Integrity (I:H), Availability (A:H): High impact across all CIA triad components.
Severity Justification
This vulnerability is critical due to:
- Remote Exploitability: Attackers can trigger arbitrary code execution (ACE) over the network.
- Low Privilege Requirement: Only a low-privileged user account is needed to exploit.
- High Impact: Full system compromise (RCE) with the privileges of the
TipsPanelauthor (potentially administrative). - Wormable Potential: If combined with other vulnerabilities, could enable lateral movement in enterprise environments.
2. Potential Attack Vectors and Exploitation Methods
Root Cause Analysis
The vulnerability stems from improper sandboxing of UI extensions in XWiki’s TipsPanel component. Specifically:
- The
TipsPanelallows users to create and render wiki content (e.g., Velocity scripts, Groovy macros) with the privileges of the panel’s author. - Prior to the patch, no proper authorization checks were enforced, allowing low-privileged users to inject malicious scripts that execute with elevated permissions.
Exploitation Steps
- Authentication: Attacker gains access to an XWiki instance with a low-privileged account (e.g.,
XWiki.XWikiGuestor a standard user). - Crafting Malicious Tip:
- The attacker creates a new UI extension (tip) containing arbitrary code (e.g., Velocity, Groovy, or JavaScript).
- Example payload (Groovy RCE):
{{groovy}} def process = "id".execute() println "Command output: ${process.text}" {{/groovy}}
- Triggering Execution:
- The malicious tip is rendered in the
TipsPanel, executing the embedded code with the privileges of theTipsPanelauthor (often an admin).
- The malicious tip is rendered in the
- Post-Exploitation:
- Privilege Escalation: If the
TipsPanelauthor has admin rights, the attacker gains full control. - Persistence: Attacker may install backdoors, exfiltrate data, or pivot to other systems.
- Privilege Escalation: If the
Exploitation Requirements
- No User Interaction Needed: The attack is fully automated once the malicious tip is created.
- Low Skill Level: Exploitation requires basic knowledge of XWiki scripting (Velocity/Groovy).
- No Special Tools: Can be executed via a web browser or automated scripts (e.g.,
curl, Burp Suite).
3. Affected Systems and Software Versions
Vulnerable Versions
- XWiki Platform versions prior to 15.1-rc-1 and 14.10.5.
- All deployments using the
TipsPanelextension (default in many XWiki installations).
Unaffected Versions
- XWiki 15.1-rc-1 and later.
- XWiki 14.10.5 and later.
Deployment Scenarios at Risk
- Public-facing XWiki instances (e.g., corporate wikis, documentation portals).
- Internal enterprise wikis where low-privileged users have access.
- Cloud-hosted XWiki deployments (SaaS or self-managed).
4. Recommended Mitigation Strategies
Immediate Actions
-
Apply Patches:
- Upgrade to XWiki 15.1-rc-1 or 14.10.5 (or later) immediately.
- Patch commit:
98208c5bb1e8cdf3ff1ac35d8b3d1cb3c28b3263.
-
Workarounds (if patching is delayed):
- Disable
TipsPanel:- Remove or disable the
TipsPanelextension via XWiki administration.
- Remove or disable the
- Restrict Scripting Permissions:
- Limit Velocity/Groovy execution to trusted users via XWiki Rights Management.
- Network Segmentation:
- Isolate XWiki instances from untrusted networks (e.g., DMZ, internal firewalls).
- Disable
-
Monitor for Exploitation:
- Log Analysis: Check for unusual
TipsPanelactivity (e.g., script execution logs). - WAF Rules: Deploy signatures to detect malicious script injection (e.g., OWASP ModSecurity Core Rule Set).
- Endpoint Detection & Response (EDR): Monitor for suspicious child processes spawned by the XWiki Java process.
- Log Analysis: Check for unusual
Long-Term Hardening
- Principle of Least Privilege (PoLP):
- Ensure
TipsPanelauthors do not have admin rights.
- Ensure
- Regular Audits:
- Review XWiki user permissions and extension configurations.
- Automated Patching:
- Implement a patch management system for XWiki updates.
- Runtime Application Self-Protection (RASP):
- Deploy RASP solutions to detect and block script-based attacks.
5. Impact on the Cybersecurity Landscape
Enterprise Risk
- High Likelihood of Exploitation:
- Given the low barrier to exploitation and high impact, this vulnerability is highly attractive to attackers.
- Targeted by APTs & Ransomware Groups: XWiki is widely used in enterprises for documentation, making it a prime target for lateral movement.
- Supply Chain Risks:
- If XWiki is integrated with other enterprise systems (e.g., CI/CD, ticketing), compromise could lead to wider breaches.
Broader Implications
- Increased Focus on Wiki Platforms:
- Similar vulnerabilities may exist in other wiki platforms (e.g., MediaWiki, Confluence).
- Shift in Attacker Tactics:
- Attackers may increasingly target collaboration tools (wikis, CMS) as initial access vectors.
- Regulatory & Compliance Risks:
- Organizations failing to patch may face GDPR, HIPAA, or SOX violations if data is exfiltrated.
6. Technical Details for Security Professionals
Vulnerability Mechanics
- Component:
TipsPanelUI extension (part of XWiki’s Extension Manager). - Root Cause: Missing authorization checks in
TipsPanelMacroallow arbitrary script execution with the privileges of the panel’s author. - Patch Analysis:
- The fix (GitHub Commit) adds programmatic rights checks before rendering tips:
if (!this.authorization.hasAccess(Right.SCRIPT, context.getUserReference(), context.getDoc().getDocumentReference())) { throw new AccessDeniedException("Script right required to execute tip content"); }
- The fix (GitHub Commit) adds programmatic rights checks before rendering tips:
Exploitation Proof of Concept (PoC)
- Create a Malicious Tip:
#set($discard = $xwiki.scriptService.get("groovy").evaluate("println 'RCE achieved'; def cmd = 'id'.execute(); println cmd.text")) - Save as a New Tip:
- Navigate to
http://<xwiki-instance>/xwiki/bin/view/TipsPanel/AddTip. - Submit the payload.
- Navigate to
- Trigger Execution:
- The tip is rendered, executing the Groovy script with the
TipsPanelauthor’s privileges.
- The tip is rendered, executing the Groovy script with the
Detection & Forensics
-
Logs to Monitor:
- XWiki Logs (
xwiki.log):- Look for
ScriptServiceorGroovyMacroexecution events.
- Look for
- Web Server Logs (Apache/Nginx):
- Unusual
POSTrequests to/xwiki/bin/view/TipsPanel/AddTip.
- Unusual
- Process Monitoring:
- Suspicious child processes spawned by the XWiki Java process (e.g.,
bash,powershell,curl).
- Suspicious child processes spawned by the XWiki Java process (e.g.,
- XWiki Logs (
-
Indicators of Compromise (IOCs):
- Unexpected
TipsPanelmodifications. - Unauthorized script execution logs.
- Outbound connections from the XWiki server to C2 servers.
- Unexpected
Advanced Mitigation Techniques
- Custom WAF Rules:
- Block requests containing
{{groovy}},{{velocity}}, or{{script}}inTipsPanelsubmissions.
- Block requests containing
- File Integrity Monitoring (FIM):
- Monitor
TipsPanelconfiguration files for unauthorized changes.
- Monitor
- Network Micro-Segmentation:
- Restrict XWiki server communication to only necessary endpoints.
Conclusion
CVE-2023-35166 represents a critical remote code execution vulnerability in XWiki Platform, enabling low-privileged attackers to gain full control of affected systems. Given its high CVSS score (9.9), ease of exploitation, and widespread deployment, organizations must prioritize patching and implement defensive measures to prevent exploitation.
Key Takeaways for Security Teams:
✅ Patch immediately (XWiki 15.1-rc-1 / 14.10.5).
✅ Disable TipsPanel if patching is delayed.
✅ Monitor for exploitation attempts (logs, WAF, EDR).
✅ Enforce least privilege for XWiki users.
✅ Assume breach and conduct forensic analysis if compromise is suspected.
This vulnerability underscores the importance of securing collaboration platforms and maintaining rigorous patch management in enterprise environments.
References
security-advisories@github.com
https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c28b3263#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178security-advisories@github.com
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h7cw-44vp-jq7hsecurity-advisories@github.com
https://jira.xwiki.org/browse/XWIKI-20281af854a3a-2127-422b-91ae-364da2661108
https://github.com/xwiki/xwiki-platform/commit/98208c5bb1e8cdf3ff1ac35d8b3d1cb3c28b3263#diff-4e3467d2ef3871a68b2f910e67cf84531751b32e0126321be83c0f1ed5d90b29L176-R178af854a3a-2127-422b-91ae-364da2661108
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h7cw-44vp-jq7haf854a3a-2127-422b-91ae-364da2661108
https://jira.xwiki.org/browse/XWIKI-20281