CVE-2023-40572: XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-40572

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

XWiki Platform vulnerable to CSRF privilege escalation/RCE via the create action

Source: NVD (National Vulnerability Database)

Vulnerability Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The create action is vulnerable to a CSRF attack, allowing script and thus remote code execution when targeting a user with script/programming right, thus compromising the confidentiality, integrity and availability of the whole XWiki installation. When a user with script right views this image and a log message `ERROR foo - Script executed!` appears in the log, the XWiki installation is vulnerable. This has been patched in XWiki 14.10.9 and 15.4RC1 by requiring a CSRF token for the actual page creation.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Source: NVD (National Vulnerability Database)

Vulnerability Type

跨站请求伪造(CSRF)

Source: NVD (National Vulnerability Database)

Vulnerability Title

XWiki Platform 跨站请求伪造漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

XWiki Platform是法国XWiki基金会的一套用于创建Web协作应用程序的Wiki平台。 XWiki Platform存在跨站请求伪造漏洞，该漏洞源于存在跨站请伪造（CSRF）漏洞。攻击者可利用该漏洞进行权限升级和远程代码执行（RCE）。受影响的产品和版本：XWiki Platform 3.2-milestone-3至14.10.9之前版本，15.0-rc-1至15.4-rc-1之前版本。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
xwiki	xwiki-platform	>= 3.2-milestone-3, < 14.10.9	-

II. Public POCs for CVE-2023-40572

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-40572

Please Login to view more intelligence information

https://jira.xwiki.org/browse/XWIKI-20849x_refsource_MISC
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-4f8m-7h83-9f6mx_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/4b20528808d0c311290b0d9ab2cfc44063380ef7x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2023-40572

IV. Related Vulnerabilities

Same product: xwiki-platform

Same vendor: xwiki

Same weakness: CWE-352

V. Comments for CVE-2023-40572

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-40572

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-40572

III. Intelligence Information for CVE-2023-40572

IV. Related Vulnerabilities

V. Comments for CVE-2023-40572

Leave a comment