Listen to this Post
How the CVE Works
This vulnerability occurs when a page containing a link is renamed or moved, granting unintended script or programming rights. The target page’s metadata author is improperly updated during refactoring, allowing execution of scripts in xobjects that should remain restricted. Attackers with edit rights can exploit this by manipulating page links and convincing a higher-privileged user to perform a move/rename operation. The flaw stems from incorrect rights evaluation during refactoring, bypassing original author restrictions.
DailyCVE Form
Platform: XWiki
Version: 8.2 to 16.4.6
Vulnerability: Access Control Bypass
Severity: Critical
Date: 2023-XX-XX
Prediction: Patch expected by 2023-Q4
What Undercode Say
Check XWiki version curl -I http://xwiki-host/xwiki/bin/Main/WebHome Exploit PoC (simulated refactoring) POST /xwiki/bin/rename/XWiki/PageName HTTP/1.1 Host: vulnerable-xwiki Content-Type: application/x-www-form-urlencoded targetPage=XWiki:MaliciousPage©=false&autoRedirect=false
How Exploit
1. Attacker edits page with edit rights.
2. Inserts malicious link to controlled page.
3. Tricks admin to rename/move page.
4. Scripts execute with elevated rights.
Protection from this CVE
- Upgrade to XWiki 16.4.7/17.1.0RC1/16.10.4.
- Restrict refactoring to trusted users.
- Audit xobjects for unauthorized scripts.
Impact
- Unauthorized script execution.
- Privilege escalation.
- Compromise of wiki integrity.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
