Critical severityNVD Advisory· Published Apr 18, 2023· Updated Feb 5, 2025
Code injection in xwiki-platform-web-templates
CVE-2023-29512
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights on a page (e.g., it's own user page), can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the information loaded from attachments in imported.vm, importinline.vm, and packagelist.vm. This page is installed by default. This vulnerability has been patched in XWiki 15.0-rc-1, 14.10.1, 14.4.8, and 13.10.11. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-web-templatesMaven | >= 1.0B1, < 13.10.11 | 13.10.11 |
org.xwiki.platform:xwiki-platform-web-templatesMaven | >= 14.0-rc-1, < 14.4.8 | 14.4.8 |
org.xwiki.platform:xwiki-platform-web-templatesMaven | >= 14.5, < 14.10.1 | 14.10.1 |
Affected products
1- Range: < 13.10.11
Patches
1e4bbdc23fea0XWIKI-20267: Improved escaping in importinline.vm
5 files changed · +228 −45
xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/pom.xml+7 −0 modified@@ -128,5 +128,12 @@ <version>${project.version}</version> <scope>test</scope> </dependency> + <!-- Required to use the xar script service in the tests. --> + <dependency> + <groupId>org.xwiki.platform</groupId> + <artifactId>xwiki-platform-xar-script</artifactId> + <version>${project.version}</version> + <scope>test</scope> + </dependency> </dependencies> </project>
xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/imported.vm+8 −6 modified@@ -20,7 +20,9 @@ #template("xwikivars.vm") #macro(showfilelist $list $text) #if($list.size()>0) - <h4 class="legend">$services.localization.render("import_listof${text}files")</h4> + <h4 class="legend"> + $escapetool.xml($services.localization.render("import_listof${text}files")) + </h4> <ul> #foreach($item in $list) <li><a href="$xwiki.getURL($item)">$escapetool.xml($item)</a></li> @@ -29,12 +31,12 @@ #end #end #if($hasAdmin) - #set($status = $services.localization.render("import_install_${xwiki.package.status}")) - #info("$services.localization.render('importing') $!escapetool.xml($request.name): $status") + #set($status = $escapetool.xml($services.localization.render("import_install_${xwiki.package.status}"))) + #info("$escapetool.xml($services.localization.render('importing')) $!escapetool.xml($request.name): $status") <ul> - <li>$xwiki.package.installed.size() $services.localization.render('import_documentinstalled')</li> - <li>$xwiki.package.skipped.size() $services.localization.render('import_documentskipped')</li> - <li>$xwiki.package.errors.size() $services.localization.render('import_documenterrors')</li> + <li>$xwiki.package.installed.size() $escapetool.xml($services.localization.render('import_documentinstalled'))</li> + <li>$xwiki.package.skipped.size() $escapetool.xml($services.localization.render('import_documentskipped'))</li> + <li>$xwiki.package.errors.size() $escapetool.xml($services.localization.render('import_documenterrors'))</li> </ul> #showfilelist($xwiki.package.installed 'installed') #showfilelist($xwiki.package.skipped 'skipped')
xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/importinline.vm+58 −34 modified@@ -42,7 +42,8 @@ ## Import the documents from the selected XAR. ## --------------------------------------------------------------------------- #if("$!{request.action}" == 'import') -<p class="legend">$services.localization.render('import') #if("$!{request.withversions}" == '1')$services.localization.render('export_addhistory')#end</p> +<p class="legend">$escapetool.xml($services.localization.render('import')) #if("$!{request.withversions}" == '1') + $escapetool.xml($services.localization.render('export_addhistory'))#end</p> #template("imported.vm") ## --------------------------------------------------------------------------- ## Browse the XARs and let the user select a XAR and the list of documents @@ -56,28 +57,35 @@ $xwiki.ssfx.use('uicomponents/widgets/upload.css', true)## <div id="import" class="row"> <div id="packagelist" class="col-xs-12 col-sm-6 col-md-6"> - <div class="legend">$services.localization.render('core.importer.uploadPackage')</div> + <div class="legend"> + $escapetool.xml($services.localization.render('core.importer.uploadPackage')) + </div> ## Let the user upload XAR files. <form action="$doc.getURL('upload')" enctype="multipart/form-data" method="post" id="AddAttachment"> <div> ## CSRF prevention - <input type="hidden" name="form_token" value="$!{services.csrf.getToken()}" /> + <input type="hidden" name="form_token" value="$!escapetool.xml($services.csrf.getToken())" /> <input type="hidden" name="xredirect" value="$!{escapetool.xml($redirect)}" /> <fieldset id="attachform"> ## Temporarily disabled, until we fix attachment name handling ## <div><label id="xwikiuploadnamelabel" for="xwikiuploadname">$services.localization.render('core.viewers.attachments.upload.filename')</label></div> <div><input id="xwikiuploadname" type="hidden" name="filename" value="" /></div> <div class="package-upload"> - <label for="xwikiuploadfile" class="hidden">$services.localization.render('core.viewers.attachments.upload.file')</label> - <input id="xwikiuploadfile" type="file" name="filepath" class="uploadFileInput noitems" data-max-file-size="$!escapetool.xml($xwiki.getSpacePreference('upload_maxsize'))" /> - <span class="buttonwrapper"> - <input type="submit" value="Upload" class="button" /> - </span> + <label for="xwikiuploadfile" class="hidden"> + $escapetool.xml($services.localization.render('core.viewers.attachments.upload.file')) + </label> + <input id="xwikiuploadfile" type="file" name="filepath" class="uploadFileInput noitems" + data-max-file-size="$!escapetool.xml($xwiki.getSpacePreference('upload_maxsize'))"/> + <span class="buttonwrapper"> + <input type="submit" value="Upload" class="button"/> + </span> </div> </fieldset> </div> </form> - <div class="legend">$services.localization.render('core.importer.availablePackages')</div> + <div class="legend"> + $escapetool.xml($services.localization.render('core.importer.availablePackages')) + </div> <div id="packagelistcontainer"> #template('packagelist.vm') </div> ## packagelistcontainer @@ -94,42 +102,54 @@ #if(!$package) #error("There was an error reading the file ${escapetool.xml(${request.file})}. $!xcontext.import_error") #else - <div class="legend">$services.localization.render('core.importer.availableDocuments')</div> + <div class="legend"> + $escapetool.xml($services.localization.render('core.importer.availableDocuments')) + </div> <div id="packageDescription"> <div class="packageinfos"> <div> - <span class="label">$services.localization.render('core.importer.package')</span> - <span class="filename">$attach.filename</span> + <span class="label"> + $escapetool.xml($services.localization.render('core.importer.package')) + </span> + <span class="filename">$escapetool.xml($attach.filename)</span> </div> #if("$!package.packageName" != '') <div> - <span class="label">$services.localization.render('core.importer.package.description')</span> - <span class="name">$package.packageName</span> + <span class="label"> + $escapetool.xml($services.localization.render('core.importer.package.description')) + </span> + <span class="name">$escapetool.xml($package.packageName)</span> </div> #end #if("$!package.packageVersion" != '') <div> - <span class="label">$services.localization.render('core.importer.package.version')</span> - <span class="version">$package.packageVersion</span> + <span class="label"> + $escapetool.xml($services.localization.render('core.importer.package.version')) + </span> + <span class="version">$escapetool.xml($package.packageVersion)</span> </div> #end #if("$!package.packageAuthor" != '') <div> - <span class="label">$services.localization.render('core.importer.package.author')</span> - <span class="author">$package.packageAuthor</span> + <span class="label"> + $escapetool.xml($services.localization.render('core.importer.package.author')) + </span> + <span class="author">$escapetool.xml($package.packageAuthor)</span> </div> #end #if("$!package.packageLicense" != '') <div> - <span class="label">$services.localization.render('core.importer.package.licence')</span> - <span class="licence">$package.packageLicense</span> + <span class="label"> + $escapetool.xml($services.localization.render('core.importer.package.licence')) + </span> + <span class="licence">$escapetool.xml($package.packageLicense)</span> </div> #end </div> - <form action="$!{importaction}" method="post" class="static-importer"> + <form action="$!escapetool.xml($importaction)" method="post" class="static-importer"> <div> ## CSRF prevention - <input type="hidden" name="form_token" value="$!{services.csrf.getToken()}" /> + <input type="hidden" name="form_token" value="$!escapetool.xml($services.csrf.token)" /> <input type="hidden" name="action" value="import" /> <input type="hidden" name="name" value="$!{escapetool.xml($request.file)}" /> <div id="package"> @@ -151,7 +171,7 @@ </span> <span class="documentName"> <input type="hidden" name="$!{escapetool.xml($services.model.serialize($locale, 'local'))}:$!{escapetool.xml($locale.locale)}" value="$!{escapetool.xml($locale.locale)}" /> - $document #if("$!locale.locale" != '') - $locale.locale #end + $escapetool.xml($document) #if("$!locale.locale" != '') - $locale.locale #end </span> <div class="clearfloats"></div> </div> @@ -163,7 +183,7 @@ #set($space = $spaceNode.reference.name) <li class="xitem xunderline"> <div class="xitemcontainer"> - <div class="spacename">$space</div> + <div class="spacename">$escapetool.xml($space)</div> <div class="clearfloats"></div> <div class="pages"> <ul class="xlist pages"> @@ -182,34 +202,38 @@ #displaySpaceNode($node) #end #end - #foreach($node in $services.model.toTree($package.entries).children) + #set ($tree = $services.model.toTree($package.entries)) + #foreach($node in $tree.children) #displayNode($node) #end </ul> <div class="importOption"> - <em>$services.localization.render('core.importer.whenDocumentAlreadyExists')</em> + <em> + $escapetool.xml($services.localization.render('core.importer.whenDocumentAlreadyExists')) + </em> <div class="historyStrategyOption"> - <input type="radio" name="historyStrategy" value="add" checked="checked" /> - $services.localization.render('core.importer.addNewVersion') + <input type="radio" name="historyStrategy" value="add" checked="checked" /> + $escapetool.xml($services.localization.render('core.importer.addNewVersion')) </div> <div class="historyStrategyOption"> - <input type="radio" name="historyStrategy" value="replace" /> - $services.localization.render('core.importer.replaceDocumentHistory') + <input type="radio" name="historyStrategy" value="replace" /> + $escapetool.xml($services.localization.render('core.importer.replaceDocumentHistory')) </div> <div class="historyStrategyOption"> - <input type="radio" name="historyStrategy" value="reset" /> - $services.localization.render('core.importer.resetHistory') + <input type="radio" name="historyStrategy" value="reset" /> + $escapetool.xml($services.localization.render('core.importer.resetHistory')) </div> </div> ## TODO: replace with a new API to introduce (impossible to safely test right on a different wiki from velocity without PR) #if($xwiki.package.hasBackupPackImportRights()) <div class="importOption"> <input type="checkbox" name="importAsBackup" value="true" #if($packager.isBackupPack())checked="checked"#end/> - $services.localization.render('core.importer.importAsBackup') + $escapetool.xml($services.localization.render('core.importer.importAsBackup')) </div> #end <span class="buttonwrapper"> - <input class="button" type="submit" value="$services.localization.render('core.importer.import')" /> + <input class="button" type="submit" + value="$escapetool.xml($services.localization.render('core.importer.import'))" /> </span> </div> </div>
xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/packagelist.vm+6 −5 modified@@ -29,9 +29,10 @@ <div class="name"> <a href="$!url" class="package" title="$services.localization.render('core.importer.selectThisPackage')"> #set($maxnamelength = 40) - #packName($attach.filename) + #set ($packName = "#packName($attach.filename)") + $escapetool.xml($packName) </a> - <span class="version">$attach.version</span> + <span class="version">$escapetool.xml($attach.version)</span> <span class="xwikibuttonlinks"> #set($redirect = $doc.getURL('import', 'section=Import')) #set($attachurl = $doc.getAttachmentURL(${attach.filename}, 'delattachment', "xredirect=$!{redirect}&form_token=$!{services.csrf.getToken()}")) @@ -40,15 +41,15 @@ </span> </div> <div class="infos"> - $services.localization.render('core.importer.packageInformationExtract', [ + $escapetool.xml($services.localization.render('core.importer.packageInformationExtract', [ $xwiki.getUserName($attach.author, true), $!xwiki.formatDate($attach.date) - ]) - <span class="size">(#dynamicsize($attach.longSize))</span> + ])) - <span class="size">(#dynamicsize($attach.longSize))</span> </div> </div> </li> #end </ul> #else - <span class="noitems">$services.localization.render('core.importer.noPackageAvailable')</span> + <span class="noitems">$escapetool.xml($services.localization.render('core.importer.noPackageAvailable'))</span> #end \ No newline at end of file
xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/test/java/org/xwiki/web/ImportInlinePageTest.java+149 −0 added@@ -0,0 +1,149 @@ +/* + * See the NOTICE file distributed with this work for additional + * information regarding copyright ownership. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package org.xwiki.web; + +import java.io.ByteArrayInputStream; +import java.io.InputStream; +import java.util.List; +import java.util.Locale; +import java.util.stream.Collectors; + +import org.jsoup.Jsoup; +import org.jsoup.nodes.Document; +import org.jsoup.nodes.Element; +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.Mock; +import org.xwiki.model.reference.DocumentReference; +import org.xwiki.model.reference.LocalDocumentReference; +import org.xwiki.model.script.ModelScriptService; +import org.xwiki.script.service.ScriptService; +import org.xwiki.skinx.internal.async.SkinExtensionAsync; +import org.xwiki.template.TemplateManager; +import org.xwiki.test.annotation.ComponentList; +import org.xwiki.test.page.PageTest; +import org.xwiki.xar.XarEntry; +import org.xwiki.xar.XarPackage; +import org.xwiki.xar.script.XarScriptService; + +import com.xpn.xwiki.doc.XWikiDocument; +import com.xpn.xwiki.plugin.XWikiPluginManager; +import com.xpn.xwiki.plugin.skinx.CssSkinFileExtensionPlugin; +import com.xpn.xwiki.plugin.skinx.JsSkinFileExtensionPlugin; + +import static java.util.Collections.singletonList; +import static org.hamcrest.MatcherAssert.assertThat; +import static org.hamcrest.Matchers.containsInAnyOrder; +import static org.junit.jupiter.api.Assertions.assertEquals; +import static org.mockito.ArgumentMatchers.any; +import static org.mockito.ArgumentMatchers.anyBoolean; +import static org.mockito.Mockito.when; + +/** + * Test of template {@code importinline.vm}. + * + * @version $Id$ + * @since 15.0-rc-1 + * @since 14.10.1 + * @since 14.4.8 + * @since 13.10.11 + */ +@ComponentList({ + SkinExtensionAsync.class, + ModelScriptService.class +}) +class ImportInlinePageTest extends PageTest +{ + private TemplateManager templateManager; + + @Mock + private XarScriptService xarScriptService; + + @BeforeEach + void setUp() throws Exception + { + this.templateManager = this.oldcore.getMocker().getInstance(TemplateManager.class); + // Enable the ssfx/jsfx plugins. + XWikiPluginManager pluginManager = this.oldcore.getSpyXWiki().getPluginManager(); + pluginManager.addPlugin("ssfx", CssSkinFileExtensionPlugin.class.getName(), this.context); + pluginManager.addPlugin("jsfx", JsSkinFileExtensionPlugin.class.getName(), this.context); + // Initialize XWiki.XWikiPreferences + XWikiDocument xWikiPreferencesDocument = + this.xwiki.getDocument(new DocumentReference("xwiki", "XWiki", "XWikiPreferences"), this.context); + this.xwiki.saveDocument(xWikiPreferencesDocument, this.context); + // Initialize the current document + XWikiDocument currentDocument = this.xwiki.getDocument(new DocumentReference("xwiki", "Doc", "Space" + + "\"'/><script>console.log('docTitle'</script>{{html}}{{noscript/}}"), this.context); + currentDocument.setAttachment("attachment.xar", new ByteArrayInputStream("xar content".getBytes()), + this.context); + currentDocument.setAttachment("\"'/><script>console.log('secondAttachment')</script>{{/html}}{{noscript/}}", + new ByteArrayInputStream("file content".getBytes()), this.context); + this.xwiki.saveDocument(currentDocument, this.context); + this.context.setDoc(currentDocument); + this.componentManager.registerComponent(ScriptService.class, "xar", this.xarScriptService); + } + + @Test + void escape() throws Exception + { + String packageAuthor = "\"'><script>console.log('package author');</script>{{/html}}{{noscript/}}"; + String packageName = "\"'><script>console.log('package name');</script>{{/html}}{{noscript/}}"; + String packageLicense = "\"'><script>console.log('package licence');</script>{{/html}}{{noscript/}}"; + String spaceName = "\"'><script>console.log('space name');</script>{{/html}}{{noscript/}}"; + String pageName = "\"'><script>console.log('page name');</script>{{/html}}{{noscript/}}"; + LocalDocumentReference reference = new LocalDocumentReference(spaceName, pageName, Locale.FRANCE); + XarEntry xarEntry = new XarEntry(reference); + + XarPackage xarPackage = new XarPackage(singletonList(xarEntry)); + xarPackage.setPackageAuthor(packageAuthor); + xarPackage.setPackageName(packageName); + xarPackage.setPackageDescription("packageDescription"); + xarPackage.setPackageLicense(packageLicense); + xarPackage.setPackageExtensionId("packageExtensionId"); + + when(this.xarScriptService.getXarPackage(any(InputStream.class), anyBoolean())).thenReturn(xarPackage); + this.request.put("file", "attachment.xar"); + Document document = Jsoup.parse(this.templateManager.render("importinline.vm")); + + assertEquals("/xwiki/bin/upload/Doc/Space%22%27%2F%3E%3Cscript%3Econsole.log%28%27docTitle" + + "%27%3C%2Fscript%3E%7B%7Bhtml%7D%7D%7B%7Bnoscript%2F%7D%7D", + document.selectFirst("form").attr("action")); + Element packageinfos = document.selectFirst(".packageinfos"); + assertEquals(packageAuthor, packageinfos.selectFirst(".author").text()); + assertEquals(packageName, packageinfos.selectFirst(".name").text()); + assertEquals(packageLicense, packageinfos.selectFirst(".licence").text()); + Element packageDiv = document.getElementById("package"); + assertEquals(spaceName, packageDiv.selectFirst(".spacename").text()); + Element xitemLi = packageDiv.selectFirst(".xitem"); + assertEquals("\"'><script>console\\.log('space name');</script>{{/html}}{{noscript/}}.\"'>" + + "<script>console\\.log('page name');</script>{{/html}}{{noscript/}}:fr_FR", + xitemLi.selectFirst("input[type='hidden']").attr("name")); + assertEquals("\"'><script>console.log('space name');</script>{{/html}}{{noscript/}} \"'>" + + "<script>console.log('page name');</script>{{/html}}{{noscript/}} - fr_FR", xitemLi.text()); + List<String> attachmentLinksText = + document.select("#packagelistcontainer .xitemcontainer.package .name>a") + .stream() + .map(Element::text) + .collect(Collectors.toList()); + assertThat(attachmentLinksText, + containsInAnyOrder("><script>console.log('secondAttachment')</script>{{/html}}{{noscript/}}", + "attachment.xar")); + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hg5x-3w3x-7g96ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-29512ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/e4bbdc23fea0be4ef1921d1a58648028ce753344ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-hg5x-3w3x-7g96ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20267ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.