XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts text/plain
, multipart/form-data
or application/www-form-urlencoded
as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery. With the interaction of a user with programming rights, this allows remote code execution through script macros and thus impacts the integrity, availability and confidentiality of the whole XWiki installation. For regular cookie-based authentication, the vulnerability is mitigated by SameSite cookie restrictions but as of March 2023, these are not enabled by default in Firefox and Safari. The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a CSRF token header for certain request types that are susceptible to CSRF attacks.
{ "cwe_ids": [ "CWE-352" ] }
[ { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/PageResourceIT.java" }, "id": "CVE-2023-37277-0ecdea42", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "282435608521564164373102963606266966724", "16019167629756963701772649914021562366", "126624133876844536762292133743096090152" ], "threshold": 0.9 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "file": "xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-test/xwiki-platform-flamingo-skin-test-docker/src/test/it/org/xwiki/flamingo/test/docker/AllITs.java" }, "id": "CVE-2023-37277-1028c363", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "291362900461208059859400986109227887403", "290768138730068400793341551066448313049" ], "threshold": 0.9 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "function": "executePost", "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/framework/AbstractHttpIT.java" }, "id": "CVE-2023-37277-18246537", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "99862216382496118758115275079935457241", "length": 488.0 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/XWikiFilter.java" }, "id": "CVE-2023-37277-3affea5e", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "15310467846742511931318580921267108004", "242002313068312673234422945008209276938", "192281116217902257159990437638095180246", "73805447198163337875760828881561052580", "243680568966226063709739463743036129847", "181183216539450741671041545571294036498", "109984696428650390628843653403730143601", "310043744483596381682981818442629779512", "131077013933621332400336933988865958522", "213750075255487363789837314563928739700", "224710787622971181261489086988707981710", "50252261505071616445660830900897104790", "320266339085021562571722696386050489029", "252548138885541915326803833847020724371", "130893581224576328422519936875333263498", "283665682835988753679234561641814382173", "246515906211220719423783351673011686737", "125178903878256608103553394501730608370", "70872595005561048943857994879949679759", "141446256890136325473353374662481911693", "211268588017132686370420949954396373028", "281321000924502334821646434167492529873", "121390489458001270236876830178060009157", "71615348926079842524186896933436417996", "285184874903742854603616538360454160331", "141686338166326432737585956356686436608", "45165220223598070877076227956042412970" ], "threshold": 0.9 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/AttachmentsResourceIT.java" }, "id": "CVE-2023-37277-40aa0b70", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "68571063491097813327529017850206658074", "8139904896141057612519073722029646885", "89073754469619151136046262654969713644", "233093779395059712729585338282319963509" ], "threshold": 0.9 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "function": "beforeHandle", "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-server/src/main/java/org/xwiki/rest/internal/XWikiFilter.java" }, "id": "CVE-2023-37277-47131bf3", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "288182626153562957399322111392565071585", "length": 834.0 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/CommentsResourceIT.java" }, "id": "CVE-2023-37277-4a913460", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "330777909332115985507226000623866007192", "290653179851938117392475671030772621604", "82140201153003035332610834468992819862" ], "threshold": 0.9 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "function": "testPOSTAttachment", "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/AttachmentsResourceIT.java" }, "id": "CVE-2023-37277-7979ccae", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "136796354151464478346686126030477087434", "length": 1071.0 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/framework/AbstractHttpIT.java" }, "id": "CVE-2023-37277-8f93b15f", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "31980159009706481319135330562425115980", "207180450629289144616121472456822963525", "214289090975856447798225491901618584215", "28214604382653188971114099142391021340", "140762891168331251641750595009569786239", "151907766758607992165684456104255250259", "195809472033967679061586510765492972663", "174312125360270529638682273728639663064", "231221362025086925942424852483945714708", "163492229918147087314212110460435535034", "130443323675204482665611196275181223959", "69910752839828607273253208467595965751", "140762891168331251641750595009569786239", "153133728448165823988122134251365714702", "191215847193566052182436149052279386529", "103455129968451608618927842408784361068", "209495830289432324066036969883551840599" ], "threshold": 0.9 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/ObjectsResourceIT.java" }, "id": "CVE-2023-37277-adb65e73", "deprecated": false, "signature_version": "v1", "signature_type": "Line", "digest": { "line_hashes": [ "125344141515640308745718794375056478202", "307739496551128485468785437608315625220", "236402804147325917293544442638139449153" ], "threshold": 0.9 } }, { "source": "https://github.com/xwiki/xwiki-platform/commit/4c175405faa0e62437df397811c7526dfc0fbae7", "target": { "function": "executePostForm", "file": "xwiki-platform-core/xwiki-platform-rest/xwiki-platform-rest-test/xwiki-platform-rest-test-tests/src/test/it/org/xwiki/rest/test/framework/AbstractHttpIT.java" }, "id": "CVE-2023-37277-dee884be", "deprecated": false, "signature_version": "v1", "signature_type": "Function", "digest": { "function_hash": "328515638349306958922935631003785864559", "length": 507.0 } } ]