CVE-2023-35161 Overview
CVE-2023-35161 is a Cross-Site Scripting (XSS) vulnerability in XWiki Platform, a generic wiki platform offering runtime services for applications built on top of it. Attackers can forge a malicious URL with a JavaScript payload that injects script content into the page when processed by the DeleteApplication component. The vulnerability specifically affects the xredirect parameter handling in the AppWithinMinutes DeleteApplication page.
Critical Impact
Unauthenticated attackers can craft malicious URLs to execute arbitrary JavaScript in the context of authenticated user sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims.
Affected Products
- XWiki Platform versions 6.2-milestone-1 through 14.10.4
- XWiki Platform versions 15.0-rc-1 through 15.0
- XWiki xwiki (all affected versions per CPE data)
Discovery Timeline
- 2023-06-23 - CVE CVE-2023-35161 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-35161
Vulnerability Analysis
This reflected XSS vulnerability exists in the XWiki Platform's DeleteApplication page within the AppWithinMinutes module. The vulnerability allows attackers to inject JavaScript code through a carefully crafted URL that exploits the xredirect parameter. When a user clicks on a malicious link or is redirected to such a URL, the JavaScript payload executes within the user's browser session, potentially compromising sensitive data or performing unauthorized actions.
The vulnerability requires user interaction—specifically, a victim must be tricked into clicking or navigating to the malicious URL. When successfully exploited, the attack can affect other users' sessions due to the changed scope context, enabling cross-origin attacks against other domains or subdomains within the XWiki deployment.
Root Cause
The root cause is improper input validation and sanitization of the xredirect parameter in the DeleteApplication template. Prior to the patch, the application directly used the user-supplied redirect URL without validating that it was a safe, legitimate URL. This allowed the injection of javascript: protocol URLs, which execute JavaScript when processed by the browser.
The vulnerable code directly assigned the request parameter to the cancel URL without any sanitization:
#set ($cancelURL = $request.xredirect)
#set ($confirmParams.xredirect = $cancelURL)
Attack Vector
The attack vector is network-based and requires user interaction. An attacker constructs a malicious URL targeting the DeleteApplication endpoint with a JavaScript payload in the xredirect parameter. The exploitation path is as follows:
xwiki/bin/view/AppWithinMinutes/DeleteApplication?appName=Menu&resolve=true&xredirect=javascript:alert(document.domain)
When a victim with an active XWiki session clicks this link, the JavaScript payload executes in their browser context. Attackers can replace the simple alert() with more sophisticated payloads to steal session cookies, perform CSRF attacks, or exfiltrate sensitive data.
The following patch demonstrates how XWiki addressed this vulnerability by implementing URL sanitization:
'form_token': $services.csrf.token
})
#if ("$!request.xredirect" != '')
- #set ($cancelURL = $request.xredirect)
- #set ($confirmParams.xredirect = $cancelURL)
+ #getSanitizedURLAttributeValue('a','href',$request.xredirect,$doc.getURL(),$cancelURL)
+ ## We don't sanitize those parameters as the sanitation will be handled server side.
+ #set ($confirmParams.xredirect = $request.xredirect)
#end
#set ($confirmURL = $doc.getURL($xcontext.action, $escapetool.url($confirmParams)))
{{html}}
Source: GitHub Commit for XWiki
Detection Methods for CVE-2023-35161
Indicators of Compromise
- Web server access logs containing requests to /AppWithinMinutes/DeleteApplication with xredirect=javascript: patterns
- URL-encoded variations of javascript: protocol in xredirect parameters (e.g., %6a%61%76%61%73%63%72%69%70%74:)
- Unusual outbound connections or data exfiltration following user access to XWiki pages
- Reports from users experiencing unexpected browser behavior or redirects when using XWiki
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing javascript: in URL parameters
- Configure intrusion detection systems (IDS) to alert on XSS payload patterns targeting XWiki endpoints
- Enable detailed access logging on XWiki servers and monitor for suspicious parameter patterns in the AppWithinMinutes module
- Deploy browser-based XSS auditors and Content Security Policy (CSP) headers to detect and prevent script execution from untrusted sources
Monitoring Recommendations
- Review web server logs regularly for requests to /AppWithinMinutes/DeleteApplication containing suspicious xredirect values
- Monitor security information and event management (SIEM) systems for patterns indicating XSS exploitation attempts
- Establish baseline behavior for XWiki user sessions and alert on anomalous activities that may indicate session compromise
- Implement real-time alerting for any HTTP requests containing javascript: protocol in query parameters
How to Mitigate CVE-2023-35161
Immediate Actions Required
- Upgrade XWiki Platform to version 14.10.5 or 15.1-rc-1 or later immediately
- If immediate patching is not possible, restrict access to the AppWithinMinutes DeleteApplication page
- Implement Content Security Policy (CSP) headers to mitigate the impact of XSS attacks
- Educate users about the risks of clicking on suspicious links, especially those targeting XWiki endpoints
Patch Information
XWiki has released patches addressing this vulnerability. The fix implements proper URL sanitization using the #getSanitizedURLAttributeValue macro to validate redirect URLs before use. Organizations should upgrade to XWiki Platform version 14.10.5 or 15.1-rc-1 or later.
For detailed patch information, refer to:
- GitHub Commit for XWiki
- GitHub Security Advisory GHSA-4xm7
- XWiki Issue XWIKI-20583
- XWiki Issue XWIKI-20614
Workarounds
- Deploy a reverse proxy or WAF rule to filter requests containing javascript: in the xredirect parameter
- Temporarily disable or restrict access to the AppWithinMinutes module until patching is complete
- Implement strict Content Security Policy headers to prevent inline JavaScript execution
# Example Apache configuration to block malicious xredirect parameters
# Add to XWiki virtual host configuration
RewriteEngine On
RewriteCond %{QUERY_STRING} xredirect=.*javascript: [NC]
RewriteRule ^/xwiki/bin/view/AppWithinMinutes/DeleteApplication - [F,L]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
