Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In `org.xwiki.platform:xwiki-platform-web` versions 7.2-milestone-2 until 14.10.12 and `org.xwiki.platform:xwiki-platform-web-templates` prior to versions 14.10.12 and 15.5-rc-1, it is possible to pass a title to the page creation action that isn't displayed at first but then executed in the second step. This can be used by an attacker to trick a victim to execute code, allowing script execution if the victim has script right or remote code execution including full access to the XWiki instance if the victim has programming right.
For the attack to work, the attacker needs to convince the victim to visit a link like `
Remediation
References
https://github.com/xwiki/xwiki-platform/commit/199e27ce7016757e66fa7cea99e718044a1b639b
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-ghf6-2f42-mjh9
https://jira.xwiki.org/browse/XWIKI-20869
Related Vulnerabilities
CVE-2023-36665 Vulnerability in npm package protobufjs
CVE-2023-22467 Vulnerability in maven package org.webjars.bowergithub.moment:luxon
CVE-2018-1304 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2023-34093 Vulnerability in npm package @strapi/database
CVE-2016-3092 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core