VYPR
← All advisories
High severityNVD Advisory· Published Jun 23, 2023· Updated Nov 27, 2024

XWiki Platform vulnerable to reflected cross-site scripting via delattachment action

CVE-2023-35157

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. The vulnerability has been patched in XWiki 15.1-rc-1 and XWiki 14.10.6.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-oldcoreMaven
>= 3.2-milestone-3, < 14.10.614.10.6
org.xwiki.platform:xwiki-platform-oldcoreMaven
>= 15.0-rc-0, < 15.1-rc-115.1-rc-1

Affected products

1

Patches

1
35e9073ffec5

XWIKI-20339: Attachments name are not properly displayed with special characters

https://github.com/xwiki/xwiki-platformSimon UrliFeb 16, 2023via ghsa
commit
4 files changed · +36 2
  • xwiki-platform-core/xwiki-platform-flamingo/xwiki-platform-flamingo-skin/xwiki-platform-flamingo-skin-test/xwiki-platform-flamingo-skin-test-docker/src/test/it/org/xwiki/flamingo/test/docker/AttachmentIT.java+21 0 modified
    @@ -30,12 +30,14 @@
 import org.openqa.selenium.By;
 import org.xwiki.flamingo.skin.test.po.AttachmentsPane;
 import org.xwiki.flamingo.skin.test.po.AttachmentsViewPage;
+import org.xwiki.model.reference.AttachmentReference;
 import org.xwiki.model.reference.DocumentReference;
 import org.xwiki.rest.model.jaxb.Page;
 import org.xwiki.test.docker.junit5.TestConfiguration;
 import org.xwiki.test.docker.junit5.TestReference;
 import org.xwiki.test.docker.junit5.UITest;
 import org.xwiki.test.ui.TestUtils;
+import org.xwiki.test.ui.po.BasePage;
 import org.xwiki.test.ui.po.ChangesPane;
 import org.xwiki.test.ui.po.ComparePage;
 import org.xwiki.test.ui.po.DeletePageOutcomePage;
@@ -425,6 +427,25 @@ void addSeveralAttachmentsAtOnce(TestUtils setup, TestReference testReference, T
         assertEquals(4, attachmentsPane.getNumberOfAttachments());
     }
 
+    /**
+     * Check the display of delete attachment message when it contains special characters.
+     */
+    @Test
+    @Order(8)
+    void deleteAttachmentWithSpecialChar(TestUtils setup, TestReference testReference)
+    {
+        setup.loginAsSuperAdmin();
+        setup.createPage(testReference, "Empty content");
+        String attachmentName = "<img src=x>";
+        AttachmentReference attachmentReference = new AttachmentReference(attachmentName, testReference);
+        setup.gotoPage(attachmentReference, "delattachment");
+        BasePage basePage = new BasePage();
+        assertEquals(String.format("Error\n"
+                + "Failed to delete attachment %s\n"
+                + "This attachment does not exist.", attachmentName),
+                basePage.getXWikiMessageContent());
+    }
+
     private String getAttachmentsMacroContent(DocumentReference docRef)
     {
         StringBuilder sb = new StringBuilder();
  • xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/XWikiAction.java+2 1 modified
    @@ -90,6 +90,7 @@
 import org.xwiki.user.UserReference;
 import org.xwiki.user.UserReferenceResolver;
 import org.xwiki.velocity.VelocityManager;
+import org.xwiki.xml.XMLUtils;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.xpn.xwiki.XWiki;
@@ -234,7 +235,7 @@ protected ContextualAuthorizationManager getContextualAuthorizationManager()
 
     protected String localizePlainOrKey(String key, Object... parameters)
     {
-        return StringUtils.defaultString(getLocalization().getTranslationPlain(key, parameters), key);
+        return XMLUtils.escape(StringUtils.defaultString(getLocalization().getTranslationPlain(key, parameters), key));
     }
 
     protected JobProgressManager getProgress()
  • xwiki-platform-core/xwiki-platform-test/xwiki-platform-test-ui/src/main/java/org/xwiki/test/ui/po/BasePage.java+12 0 modified
    @@ -668,6 +668,18 @@ public boolean isForbidden()
         return false;
     }
 
+    /**
+     * @return the full text of an {@code xwikimessage} box displayed in the full content (e.g. in case of error).
+     * @since 15.1RC1
+     * @since 14.10.6
+     */
+    public String getXWikiMessageContent()
+    {
+        return getDriver()
+            .findElementWithoutWaiting(By.xpath("//div[@id = 'mainContentArea']/div[contains(@class, 'xwikimessage')]"))
+            .getText();
+    }
+
     /**
      * Use the following keyboard shortcut and wait for a new page to load. This should be only used for shortcuts that
      * indeed loads a new page.
  • xwiki-platform-core/xwiki-platform-test/xwiki-platform-test-ui/src/main/java/org/xwiki/test/ui/TestUtils.java+1 1 modified
    @@ -1193,7 +1193,7 @@ private List<String> extractListFromReference(EntityReference reference)
         for (EntityReference singleReference : spaceReference.removeParent(wikiReference).getReversedReferenceChain()) {
             path.add(singleReference.getName());
         }
-        if (reference.getType() == EntityType.DOCUMENT) {
+        if (reference.getType() == EntityType.DOCUMENT || reference.getType() == EntityType.ATTACHMENT) {
             path.add(reference.getName());
         }
         return path;

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.