Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-40572: XWIKI-20849: Require a CSRF token in the create action · xwiki/xwiki-platform@4b20528

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message ERROR foo - Script executed! appears in the log, the XWiki installation is vulnerable. This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation.

CVE
#csrf#java#rce#acer

Expand Up

@@ -23,6 +23,7 @@

import java.util.Locale;

import java.util.Map;

import javax.inject.Inject;

import javax.inject.Named;

import javax.inject.Provider;

import javax.inject.Singleton;

Expand Down Expand Up

@@ -96,6 +97,9 @@ public class CreateAction extends XWikiAction

*/

private static final String LOCAL_SERIALIZER_HINT = "local";

@Inject

private CSRFToken csrf;

/**

* The action to perform when creating a new page from a template.

*

Expand Down Expand Up

@@ -185,9 +189,12 @@ public String render(XWikiContext context) throws XWikiException

checkRights(newDocumentReference.getLastSpaceReference(), context);

// Check if the document to create already exists and if it respects the name strategy

// Also check the CSRF token.

XWikiDocument newDocument = context.getWiki().getDocument(newDocumentReference, context);

if (handler.isDocumentAlreadyExisting(newDocument) || handler.isDocumentPathTooLong(newDocumentReference)

|| !this.isEntityReferenceNameValid(newDocumentReference)) {

|| !this.isEntityReferenceNameValid(newDocumentReference)

|| !this.csrf.isTokenValid(context.getRequest().getParameter(“form_token”)))

{

return CREATE_TEMPLATE;

}

Expand Down Expand Up

@@ -334,8 +341,7 @@ private String getRedirectParameters(String parent, String title, String templat

redirectParams += “&title=” + Util.encodeURI(title, null);

}

// Both the save and the edit action might require a CSRF token

CSRFToken csrf = Utils.getComponent(CSRFToken.class);

redirectParams += “&form_token=” + Util.encodeURI(csrf.getToken(), null);

redirectParams += “&form_token=” + Util.encodeURI(this.csrf.getToken(), null);

return redirectParams;

}

Expand Down

Related news

GHSA-4f8m-7h83-9f6m: XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action

### Impact The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. To reproduce, the XWiki syntax `[[image:path:/xwiki/bin/create/Foo/WebHome?template=&parent=Main.WebHome&title=$services.logging.getLogger(%22foo%22).error(%22Script%20executed!%22)]]` can be added to any place that supports XWiki syntax like a comment. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. ### Patches This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation. ### Workarounds There are no known workarounds. ### References * https://jira.xwiki.org/browse/XWIKI-20849 * https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907