Critical severityNVD Advisory· Published Oct 25, 2023· Updated Sep 10, 2024

XWiki Platform XSS vulnerability from account in the create page form via template provider

CVE-2023-45134

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. org.xwiki.platform:xwiki-platform-web starting in version 3.1-milestone-1 and prior to 13.4-rc-1, org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.2 and 15.5-rc-1, and org.xwiki.platform:xwiki-web-standard starting in version 2.4-milestone-2 and prior to version 3.1-milestone-1 are vulnerable to cross-site scripting. An attacker can create a template provider on any document that is part of the wiki (could be the attacker's user profile) that contains malicious code. This code is executed when this template provider is selected during document creation which can be triggered by sending the user to a URL. For the attacker, the only requirement is to have an account as by default the own user profile is editable. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link. Depending on the rights of the user, this may allow remote code execution and full read and write access to the whole XWiki installation. This has been patched in org.xwiki.platform:xwiki-platform-web 13.4-rc-1, org.xwiki.platform:xwiki-platform-web-templates 14.10.2 and 15.5-rc-1, and org.xwiki.platform:xwiki-web-standard 3.1-milestone-1 by adding the appropriate escaping. The vulnerable template file createinline.vm is part of XWiki's WAR and can be patched by manually applying the changes from the fix.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-web-templatesMaven	< 14.10.12	14.10.12
org.xwiki.platform:xwiki-platform-web-templatesMaven	>= 15.0-rc-1, < 15.5-rc-1	15.5-rc-1
org.xwiki.platform:xwiki-web-standardMaven	>= 2.4-milestone-2, < 3.1-milestone-1	3.1-milestone-1
org.xwiki.platform:xwiki-platform-webMaven	>= 3.1-milestone-1, < 13.4-rc-1	13.4-rc-1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 3.1-milestone-1, < 13.4-rc-1

Patches

ba56fda17515

XWIKI-20962: Escape template provider errors during document creation

https://github.com/xwiki/xwiki-platformMichael HamannJun 5, 2023via ghsa

commit

2 files changed · +52 −2

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/createinline.vm+4 −2 modified

@@ -68,9 +68,11 @@
   <div class="box errormessage">
     #set($allowedSpaces = $createAllowedSpaces)
     #if ($allowedSpaces.size() == 1)
-      $services.localization.render('core.create.template.allowedspace.inline', [$templateProvider, $allowedSpaces.get(0)])
+      $escapetool.xml($services.localization.render('core.create.template.allowedspace.inline', [$templateProvider,
+        $allowedSpaces.get(0)]))
     #else
-      $services.localization.render('core.create.template.allowedspaces.inline', [$templateProvider, $allowedSpaces.toString()])
+      $escapetool.xml($services.localization.render('core.create.template.allowedspaces.inline', [$templateProvider,
+        $allowedSpaces.toString()]))
     #end
   </div>
 #end

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/test/java/org/xwiki/web/CreateInlinePageTest.java

+48 −0 modified

@@ -20,6 +20,7 @@
 package org.xwiki.web;
 
 import java.util.List;
+import java.util.stream.Stream;
 
 import javax.inject.Inject;
 
@@ -28,6 +29,8 @@
 import org.jsoup.nodes.Element;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.MethodSource;
 import org.xwiki.template.TemplateManager;
 import org.xwiki.test.page.PageTest;
 import org.xwiki.velocity.VelocityManager;
@@ -118,4 +121,49 @@ void testDocumentAlreadyExistsError() throws Exception
             DOCUMENT_REFERENCE, viewURL, editURL);
         assertEquals(expectedMessage, errormessage.text());
     }
+
+    /**
+     * Test that when there is an exception about the template provider not allowing the chosen space, the allowed
+     * spaces are correctly escaped.
+     */
+    @ParameterizedTest
+    @MethodSource("allowedSpacesProvider")
+    void templateProviderRestrictionErrorEscaping(List<String> allowedSpaces) throws Exception
+    {
+        String provider = "\"provider</div>";
+        this.request.put("templateprovider", provider);
+        String template = "template</div>";
+
+        // Set "createException" to an XWikiException to simulate a template provider restriction error.
+        Object[] args = { template, DOCUMENT_REFERENCE, DOCUMENT_REFERENCE };
+        XWikiException exception = new XWikiException(XWikiException.MODULE_XWIKI_STORE,
+            XWikiException.ERROR_XWIKI_APP_TEMPLATE_NOT_AVAILABLE,
+            "Template {0} cannot be used in space {1} when creating page {2}", null, args);
+        this.velocityManager.getVelocityContext().put(CREATE_EXCEPTION_VELOCITY_KEY, exception);
+        // Set the allowed spaces to a list containing some HTML.
+        this.velocityManager.getVelocityContext().put("createAllowedSpaces", allowedSpaces);
+
+        // Render the template.
+        Document document = Jsoup.parse(this.templateManager.render(CREATE_INLINE_VM));
+        Element errormessage = document.getElementsByClass(ERROR_MESSAGE_CLASS).first();
+        assertNotNull(errormessage);
+
+        String expectedMessage;
+        if (allowedSpaces.size() == 1) {
+            expectedMessage = String.format("core.create.template.allowedspace.inline [%s, %s]",
+                provider, allowedSpaces.get(0));
+        } else {
+            expectedMessage = String.format("core.create.template.allowedspaces.inline [%s, %s]",
+                provider, allowedSpaces);
+        }
+        assertEquals(expectedMessage, errormessage.text());
+    }
+
+    static Stream<List<String>> allowedSpacesProvider()
+    {
+        return Stream.of(
+            List.of("allowedSpace</div>"),
+            List.of("allowedSpace1</div>", "allowedSpace2</div>")
+        );
+    }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gr82-8fj2-ggc3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-45134ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/ba56fda175156dd35035f2b8c86cbd8ef1f90c2eghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-gr82-8fj2-ggc3ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20962ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000