Critical severityNVD Advisory· Published Jun 30, 2023· Updated Dec 4, 2024
Persistent Cross-site Scripting (XSS) through CKEditor Configuration pages in XWiki Platform
CVE-2023-36477
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with edit rights can edit all pages in the CKEditor' space. This makes it possible to perform a variety of harmful actions, such as removing technical documents, leading to loss of service and editing the javascript configuration of CKEditor, leading to persistent XSS. This issue has been patched in XWiki 14.10.6 and XWiki 15.1. This issue has been patched on the CKEditor Integration extension 1.64.9 for XWiki version older than 14.6RC1. Users are advised to upgrade. Users unable to upgrade may manually address the issue by restricting the edit and delete rights to a trusted user or group (e.g. the XWiki.XWikiAdminGroup group), implicitly disabling those rights for all other users. See commit 9d9d86179` for details.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-ckeditor-uiMaven | >= 14.6-rc-1, < 14.10.6 | 14.10.6 |
org.xwiki.contrib:application-ckeditor-uiMaven | >= 1.9, < 1.64.9 | 1.64.9 |
org.xwiki.platform:xwiki-platform-ckeditor-uiMaven | >= 15.0-rc-1, < 15.1 | 15.1 |
Affected products
1- Range: org.xwiki.contrib:application-ckeditor-ui: >= 1.9, < 1.64.9
Patches
19d9d86179457XWIKI-20590: Improved CKEditor visibility management
1 file changed · +123 −0
xwiki-platform-core/xwiki-platform-ckeditor/xwiki-platform-ckeditor-ui/src/main/resources/CKEditor/WebPreferences.xml+123 −0 added@@ -0,0 +1,123 @@ +<?xml version="1.1" encoding="UTF-8"?> + +<!-- + * See the NOTICE file distributed with this work for additional + * information regarding copyright ownership. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. +--> + +<xwikidoc version="1.5" reference="CKEditor.WebPreferences" locale=""> + <web>CKEditor</web> + <name>WebPreferences</name> + <language/> + <defaultLanguage/> + <translation>0</translation> + <creator>xwiki:XWiki.Admin</creator> + <parent>CKEditor.WebHome</parent> + <author>xwiki:XWiki.Admin</author> + <contentAuthor>xwiki:XWiki.Admin</contentAuthor> + <version>1.1</version> + <title>$services.localization.render('admin.preferences.title')</title> + <comment/> + <minorEdit>false</minorEdit> + <syntaxId>xwiki/2.1</syntaxId> + <hidden>true</hidden> + <content/> + <object> + <name>CKEditor.WebPreferences</name> + <number>0</number> + <className>XWiki.XWikiGlobalRights</className> + <guid>71ae5d9d-eb05-41e1-9794-8011646619ed</guid> + <class> + <name>XWiki.XWikiGlobalRights</name> + <customClass/> + <customMapping/> + <defaultViewSheet/> + <defaultEditSheet/> + <defaultWeb/> + <nameField/> + <validationScript/> + <allow> + <defaultValue>1</defaultValue> + <disabled>0</disabled> + <displayFormType>select</displayFormType> + <displayType>allow</displayType> + <name>allow</name> + <number>4</number> + <prettyName>Allow/Deny</prettyName> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.BooleanClass</classType> + </allow> + <groups> + <cache>0</cache> + <disabled>0</disabled> + <displayType>input</displayType> + <multiSelect>1</multiSelect> + <name>groups</name> + <number>1</number> + <picker>1</picker> + <prettyName>Groups</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <size>5</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.GroupsClass</classType> + </groups> + <levels> + <cache>0</cache> + <disabled>0</disabled> + <displayType>select</displayType> + <multiSelect>1</multiSelect> + <name>levels</name> + <number>2</number> + <prettyName>Levels</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <size>3</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.LevelsClass</classType> + </levels> + <users> + <cache>0</cache> + <disabled>0</disabled> + <displayType>input</displayType> + <multiSelect>1</multiSelect> + <name>users</name> + <number>3</number> + <picker>1</picker> + <prettyName>Users</prettyName> + <relationalStorage>0</relationalStorage> + <separator> </separator> + <size>5</size> + <unmodifiable>0</unmodifiable> + <classType>com.xpn.xwiki.objects.classes.UsersClass</classType> + </users> + </class> + <property> + <allow>1</allow> + </property> + <property> + <groups>XWiki.XWikiAdminGroup</groups> + </property> + <property> + <levels>edit,delete</levels> + </property> + <property> + <users/> + </property> + </object> +</xwikidoc>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-793w-g325-hrw2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-36477ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/9d9d86179457cb8dc48b4491510537878800be4fghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-793w-g325-hrw2ghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/CKEDITOR-508ghsax_refsource_MISCWEB
- jira.xwiki.org/browse/XWIKI-20590ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.