Moderate severityNVD Advisory· Published Apr 16, 2023· Updated Feb 6, 2025
org.xwiki.platform:xwiki-platform-security-authentication-default XSS with authenticated endpoints
CVE-2023-29506
Description
XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-security-authentication-defaultMaven | >= 13.10.8, < 13.10.11 | 13.10.11 |
org.xwiki.platform:xwiki-platform-security-authentication-defaultMaven | >= 14.4.3, < 14.4.7 | 14.4.7 |
org.xwiki.platform:xwiki-platform-security-authentication-defaultMaven | >= 14.6, < 14.10 | 14.10 |
Affected products
1- Range: >= 13.10.8, < 13.10.11
Patches
11943ea26c967XWIKI-20335: Wiki existence is not properly checked in authenticate
2 files changed · +55 −4
xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/xwiki-platform-security-authentication-default/src/main/java/org/xwiki/security/authentication/internal/resource/AuthenticationResourceReferenceHandler.java+16 −0 modified@@ -37,6 +37,8 @@ import org.xwiki.resource.ResourceReferenceHandlerException; import org.xwiki.resource.ResourceType; import org.xwiki.security.authentication.AuthenticationResourceReference; +import org.xwiki.wiki.descriptor.WikiDescriptorManager; +import org.xwiki.wiki.manager.WikiManagerException; import com.xpn.xwiki.XWikiContext; import com.xpn.xwiki.XWikiContextInitializer; @@ -59,6 +61,9 @@ public class AuthenticationResourceReferenceHandler extends AbstractResourceRefe @Inject private Execution execution; + @Inject + private WikiDescriptorManager wikiDescriptorManager; + @Override public List<ResourceType> getSupportedResourceReferences() { @@ -71,6 +76,17 @@ public void handle(ResourceReference reference, ResourceReferenceHandlerChain ch { AuthenticationResourceReference authenticationResourceReference = (AuthenticationResourceReference) reference; + WikiReference wikiReference = authenticationResourceReference.getWikiReference(); + try { + if (!this.wikiDescriptorManager.exists(wikiReference.getName())) { + throw new ResourceReferenceHandlerException( + String.format("The wiki [%s] does not exist.", wikiReference.getName())); + } + } catch (WikiManagerException e) { + throw new ResourceReferenceHandlerException( + String.format("Error when checking if wiki [%s] exists.", wikiReference.getName()), e); + } + switch (authenticationResourceReference.getAction()) { case RETRIEVE_USERNAME: this.handleAction("forgotusername", authenticationResourceReference.getWikiReference());
xwiki-platform-core/xwiki-platform-security/xwiki-platform-security-authentication/xwiki-platform-security-authentication-default/src/test/java/org/xwiki/security/authentication/internal/resource/AuthenticationResourceReferenceHandlerTest.java+39 −4 modified@@ -31,11 +31,14 @@ import org.xwiki.context.ExecutionContext; import org.xwiki.model.reference.WikiReference; import org.xwiki.resource.ResourceReferenceHandlerChain; +import org.xwiki.resource.ResourceReferenceHandlerException; import org.xwiki.security.authentication.AuthenticationAction; import org.xwiki.security.authentication.AuthenticationResourceReference; import org.xwiki.test.junit5.mockito.ComponentTest; import org.xwiki.test.junit5.mockito.InjectMockComponents; import org.xwiki.test.junit5.mockito.MockComponent; +import org.xwiki.wiki.descriptor.WikiDescriptorManager; +import org.xwiki.wiki.manager.WikiManagerException; import com.xpn.xwiki.XWiki; import com.xpn.xwiki.XWikiContext; @@ -45,6 +48,7 @@ import com.xpn.xwiki.web.XWikiResponse; import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.junit.jupiter.api.Assertions.assertThrows; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.Mockito.mock; @@ -69,6 +73,9 @@ class AuthenticationResourceReferenceHandlerTest @MockComponent private Execution execution; + @MockComponent + private WikiDescriptorManager wikiDescriptorManager; + private XWikiResponse response; private XWiki xwiki; @@ -112,13 +119,19 @@ void getSupportedResourceReferences() void handleResetPassword() throws Exception { WikiReference wikiReference = new WikiReference("foo"); + when(this.wikiDescriptorManager.exists("foo")).thenReturn(false); AuthenticationResourceReference resourceReference = new AuthenticationResourceReference( wikiReference, AuthenticationAction.RESET_PASSWORD); - when(this.xwiki.evaluateTemplate("resetpassword.vm", context)).thenReturn("Reset password content"); - ResourceReferenceHandlerChain chain = mock(ResourceReferenceHandlerChain.class); + ResourceReferenceHandlerException exception = + assertThrows(ResourceReferenceHandlerException.class, + () -> this.resourceReferenceHandler.handle(resourceReference, chain)); + assertEquals("The wiki [foo] does not exist.", exception.getMessage()); + + when(this.wikiDescriptorManager.exists("foo")).thenReturn(true); + when(this.xwiki.evaluateTemplate("resetpassword.vm", context)).thenReturn("Reset password content"); this.resourceReferenceHandler.handle(resourceReference, chain); verify(response).setContentType("text/html; charset=UTF-8"); @@ -133,20 +146,42 @@ void handleResetPassword() throws Exception void handleForgotUsername() throws Exception { WikiReference wikiReference = new WikiReference("bar"); + when(this.wikiDescriptorManager.exists("bar")).thenReturn(false); AuthenticationResourceReference resourceReference = new AuthenticationResourceReference( wikiReference, AuthenticationAction.RETRIEVE_USERNAME); + ResourceReferenceHandlerChain chain = mock(ResourceReferenceHandlerChain.class); + ResourceReferenceHandlerException exception = + assertThrows(ResourceReferenceHandlerException.class, + () -> this.resourceReferenceHandler.handle(resourceReference, chain)); + assertEquals("The wiki [bar] does not exist.", exception.getMessage()); + + when(this.wikiDescriptorManager.exists("bar")).thenReturn(true); when(this.xwiki.evaluateTemplate("forgotusername.vm", context)).thenReturn("Forgot user name content"); - ResourceReferenceHandlerChain chain = mock(ResourceReferenceHandlerChain.class); this.resourceReferenceHandler.handle(resourceReference, chain); - verify(response).setContentType("text/html; charset=UTF-8"); verify(this.xWikiContextInitializer).initialize(any(ExecutionContext.class)); verify(servletOutputStream).write("Forgot user name content".getBytes(StandardCharsets.UTF_8)); verify(chain).handleNext(resourceReference); verify(context).setWikiReference(wikiReference); verify(context).setWikiReference(currentWiki); } + + @Test + void handleForgotUsernameWikiDescriptorError() throws Exception + { + WikiReference wikiReference = new WikiReference("bar"); + when(this.wikiDescriptorManager.exists("bar")).thenThrow(new WikiManagerException("Cannot access wiki")); + AuthenticationResourceReference resourceReference = new AuthenticationResourceReference( + wikiReference, + AuthenticationAction.RETRIEVE_USERNAME); + + ResourceReferenceHandlerChain chain = mock(ResourceReferenceHandlerChain.class); + ResourceReferenceHandlerException exception = + assertThrows(ResourceReferenceHandlerException.class, + () -> this.resourceReferenceHandler.handle(resourceReference, chain)); + assertEquals("Error when checking if wiki [bar] exists.", exception.getMessage()); + } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-jjm5-5v9v-7hx2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29506ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20335ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.