Listen to this Post
This vulnerability in XWiki Platform’s WYSIWYG API allows attackers to craft malicious URLs that redirect users to arbitrary external sites. The flaw exists in the HTML conversion request filter, which fails to validate the `xerror` parameter. When a user visits a manipulated URL (e.g., `
Patched versions enforce domain validation, comparing redirect URLs against configured safe domains and the request’s origin.
DailyCVE Form:
Platform: XWiki Platform
Version: 13.5-rc-1 to 15.10.12
Vulnerability: Open Redirect
Severity: Moderate
Date: Apr 29, 2025
What Undercode Say:
Exploit:
1. Craft URL:
https://xwiki-host/xwiki/bin/view/Main/?RequiresHTMLConversion=foo&xerror=https://attacker.com
2. Send to victim via email or embedded in a site.
Detection:
Check logs for unusual `xerror` parameter usage:
grep "xerror=" /var/log/xwiki/access.log
Mitigation:
- Upgrade to patched versions (15.10.13, 16.4.4, or 16.8.0).
2. WAF rule to block malicious `xerror` values:
location /xwiki/ {
if ($args ~ "xerror=https?://[^/]example.com") {
return 403;
}
}
3. Validate referrers in Apache config:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https://your-xwiki-host/ [bash]
RewriteCond %{QUERY_STRING} RequiresHTMLConversion [bash]
RewriteRule ^ - [bash]
Code Fix (Java snippet for domain validation):
if (redirectUrl != null && !isSafeDomain(redirectUrl, currentRequestDomain)) {
throw new SecurityException("Invalid redirect domain");
}
Analytics:
- Monitor 302 redirects to external domains.
- Alert on high `xerror` parameter frequency.
SELECT COUNT() FROM logs WHERE path LIKE '%xerror=%' AND timestamp > NOW() - INTERVAL '1 hour';
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
