CVE-2023-37277
July 10, 2023
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery. With the interaction of a user with programming rights, this allows remote code execution through script macros and thus impacts the integrity, availability and confidentiality of the whole XWiki installation. For regular cookie-based authentication, the vulnerability is mitigated by SameSite cookie restrictions but as of March 2023, these are not enabled by default in Firefox and Safari. The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a CSRF token header for certain request types that are susceptible to CSRF attacks.
Affected Packages
org.xwiki.platform:xwiki-platform-rest-server (JAVA):
Affected version(s) >=3.1-milestone-1 <=14.4-rc-1Fix Suggestion:
Update to version no_fixcom.xpn.xwiki.platform:xwiki-core-rest-server (JAVA):
Affected version(s) >=3.0-milestone-3 <=3.0.1Fix Suggestion:
Update to version no_fixcom.xpn.xwiki.platform:xwiki-rest (JAVA):
Affected version(s) >=1.8 <=2.5-milestone-1Fix Suggestion:
Update to version no_fixRelated Resources (5)
Do you need more information?
Contact UsCVSS v4
Base Score:
9.4
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
9.6
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Cross-Site Request Forgery (CSRF)
EPSS
Base Score:
2.26
