Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In `org.xwiki.platform:xwiki-platform-web` versions 7.2-milestone-2 until 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, it is possible to pass a title to the page creation action that isn't displayed at first but then executed in the second step. This can be used by an attacker to trick a victim to execute code, allowing script execution if the victim has script right or remote code execution including full access to the XWiki instance if the victim has programming right.
For the attack to work, the attacker needs to convince the victim to visit a link like `
Remediation
References
https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9
https://jira.xwiki.org/browse/XWIKI-20869
Related Vulnerabilities
CVE-2023-40827 Vulnerability in maven package org.pf4j:pf4j
CVE-2011-1475 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2020-36632 Vulnerability in npm package flat
CVE-2023-4043 Vulnerability in maven package org.eclipse.parsson:parsson
CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http3:http3-qpack