High severityNVD Advisory· Published Oct 25, 2023· Updated Sep 17, 2024

Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet

CVE-2023-37909

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.8 and 15.3-rc-1 by adding proper escaping. As a workaround, the patch can be manually applied to the document Menu.UIExtensionSheet; only three lines need to be changed.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-menuMaven	>= 5.1-rc-1, < 14.10.8	14.10.8
org.xwiki.platform:xwiki-platform-menu-uiMaven	>= 5.1-rc-1, < 14.10.8	14.10.8
org.xwiki.platform:xwiki-platform-menu-uiMaven	>= 15.0-rc-1, < 15.3-rc-1	15.3-rc-1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 5.1-rc-1, < 14.10.8

Patches

9e8f08009433

XWIKI-20746: Improve escaping in Menu.UIExtensionSheet

https://github.com/xwiki/xwiki-platformMichael HamannMar 27, 2023via ghsa

commit

3 files changed · +97 −3

xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/pom.xml+7 −0 modified

@@ -122,6 +122,13 @@
       <scope>runtime</scope>
       <optional>true</optional>
     </dependency>
+    <!-- Test dependencies. -->
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-test-page</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/src/main/resources/Menu/UIExtensionSheet.xml+3 −3 modified

@@ -41,9 +41,9 @@
   #set ($shortId = $stringtool.removeStart($id, 'org.xwiki.platform.'))
   #set ($shortId = $stringtool.removeStart($shortId, 'platform.'))
   #if ("$!shortId" != '')
-    $services.localization.render("menu.uix.extensionPoint.value.$shortId")
+    $escapetool.xml($services.localization.render("menu.uix.extensionPoint.value.$shortId"))
   #else
-    $services.localization.render('menu.uix.extensionPoint.value.nowhere')
+    $escapetool.xml($services.localization.render('menu.uix.extensionPoint.value.nowhere'))
   #end
 #end
 ##
@@ -85,7 +85,7 @@
         &lt;option value=""&gt;$services.localization.render('menu.uix.extensionPoint.value.nowhere')&lt;/option&gt;
         #foreach ($extensionPointId in $extensionPoints.keySet())
           #set ($selected = $extensionPointId == $selectedExtensionPointId)
-          &lt;option value="$extensionPointId"#if ($selected) selected="selected"#end&gt;
+          &lt;option value="$escapetool.xml($extensionPointId)"#if ($selected) selected="selected"#end&gt;
             #displayExtensionPointTitle($extensionPointId)
           &lt;/option&gt;
         #end

xwiki-platform-core/xwiki-platform-menu/xwiki-platform-menu-ui/src/test/java/org/xwiki/menu/UIExtensionSheetPageTest.java

+87 −0 added

@@ -0,0 +1,87 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.menu;
+
+import org.jsoup.Jsoup;
+import org.jsoup.nodes.Document;
+import org.jsoup.nodes.Element;
+import org.jsoup.select.Elements;
+import org.junit.jupiter.api.Test;
+import org.xwiki.model.reference.DocumentReference;
+import org.xwiki.test.annotation.ComponentList;
+import org.xwiki.test.page.HTML50ComponentList;
+import org.xwiki.test.page.PageTest;
+import org.xwiki.test.page.XWikiSyntax21ComponentList;
+import org.xwiki.uiextension.internal.UIExtensionClassDocumentInitializer;
+
+import com.xpn.xwiki.doc.XWikiDocument;
+import com.xpn.xwiki.objects.BaseObject;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+
+/**
+ * Page test for the document {@code Menu.UIExtensionSheet}.
+ *
+ * @version $Id$
+ */
+@ComponentList({
+    UIExtensionClassDocumentInitializer.class
+})
+@HTML50ComponentList
+@XWikiSyntax21ComponentList
+class UIExtensionSheetPageTest extends PageTest
+{
+    private static final DocumentReference SHEET_REFERENCE = new DocumentReference("xwiki", "Menu", "UIExtensionSheet");
+
+    @Test
+    void escaping() throws Exception
+    {
+        DocumentReference testDocumentReference = new DocumentReference("xwiki", "space", "test");
+        XWikiDocument testDocument = new XWikiDocument(testDocumentReference);
+        BaseObject uiExtension =
+            testDocument.newXObject(UIExtensionClassDocumentInitializer.UI_EXTENSION_CLASS, this.context);
+        String extensionID = "\"{{/html}}</option>";
+        String contentValue = "content +" + extensionID;
+        uiExtension.setLargeStringValue(UIExtensionClassDocumentInitializer.CONTENT_PROPERTY, contentValue);
+        uiExtension.setStringValue(UIExtensionClassDocumentInitializer.EXTENSION_POINT_ID_PROPERTY, extensionID);
+        this.xwiki.saveDocument(testDocument, this.context);
+
+        this.context.setDoc(testDocument);
+        this.context.setAction("edit");
+
+        XWikiDocument sheet = loadPage(SHEET_REFERENCE);
+        String htmlContent = sheet.getRenderedContent(this.context);
+        Document renderedDocument = Jsoup.parse(htmlContent);
+
+        Element selectElement = renderedDocument.getElementById("XWiki.UIExtensionClass_0_extensionPointId");
+        assertNotNull(selectElement);
+        Elements optionElement = selectElement.getElementsByAttributeValue("value", extensionID);
+        assertEquals(1, optionElement.size());
+        String extensionIdTitle = "menu.uix.extensionPoint.value." + extensionID;
+        assertEquals(extensionIdTitle, optionElement.get(0).text());
+
+        selectElement = renderedDocument.getElementById("XWiki.UIExtensionClass_0_content");
+        assertNotNull(selectElement);
+        optionElement = selectElement.getElementsByAttributeValue("value", contentValue);
+        assertEquals(1, optionElement.size());
+        assertEquals(extensionIdTitle, optionElement.get(0).text());
+    }
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-v2rr-xw95-wcjxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-37909ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773beghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-v2rr-xw95-wcjxghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20746ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.008
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000