Critical severityNVD Advisory· Published Oct 25, 2023· Updated Sep 10, 2024

XWiki Platform XSS with edit right in the create document form for existing pages

CVE-2023-45137

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. org.xwiki.platform:xwiki-platform-web starting in version 3.1-milestone-2 and prior to version 13.4-rc-1, as well as org.xwiki.platform:xwiki-platform-web-templates prior to versions 14.10.12 and 15.5-rc-1, are vulnerable to cross-site scripting. When trying to create a document that already exists, XWiki displays an error message in the form for creating it. Due to missing escaping, this error message is vulnerable to raw HTML injection and thus XSS. The injected code is the document reference of the existing document so this requires that the attacker first creates a non-empty document whose name contains the attack code. This has been patched in org.xwiki.platform:xwiki-platform-web version 13.4-rc-1 and org.xwiki.platform:xwiki-platform-web-templates versions 14.10.12 and 15.5-rc-1 by adding the appropriate escaping. The vulnerable template file createinline.vm is part of XWiki's WAR and can be patched by manually applying the changes from the fix.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-web-templatesMaven	< 14.10.12	14.10.12
org.xwiki.platform:xwiki-platform-web-templatesMaven	>= 15.0-rc-1, < 15.5-rc-1	15.5-rc-1
org.xwiki.platform:xwiki-platform-webMaven	>= 3.1-milestone-2, < 13.4-rc-1	13.4-rc-1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 3.1-milestone-2, < 13.4-rc-1

Patches

ed8ec747967f

XWIKI-20961: Improve escaping for document exists error

https://github.com/xwiki/xwiki-platformMichael HamannJun 5, 2023via ghsa

commit

2 files changed · +38 −7

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/main/resources/templates/createinline.vm+1 −1 modified

@@ -79,7 +79,7 @@
   <div class='box errormessage'>
       ## Use the 'existingDocumentReference' context binding set by the create action for this case.
       $services.localization.render('core.create.page.error.docalreadyexists',
-        ["${existingDocumentReference}",
+        [$escapetool.xml("${existingDocumentReference}"),
          $xwiki.getURL($existingDocumentReference, 'view', ''),
          $xwiki.getURL($existingDocumentReference, 'edit', '')
         ]

xwiki-platform-core/xwiki-platform-web/xwiki-platform-web-templates/src/test/java/org/xwiki/web/CreateInlinePageTest.java

+37 −6 modified

@@ -51,6 +51,12 @@ class CreateInlinePageTest extends PageTest
      */
     private static final String CREATE_INLINE_VM = "createinline.vm";
 
+    private static final String DOCUMENT_REFERENCE = "xwiki:space.</div>page";
+
+    private static final String CREATE_EXCEPTION_VELOCITY_KEY = "createException";
+
+    private static final String ERROR_MESSAGE_CLASS = "errormessage";
+
     private VelocityManager velocityManager;
 
     @Inject
@@ -71,20 +77,45 @@ void setup() throws Exception
     void testNameValidationError() throws Exception
     {
         // Set "createException" to an XWikiException to simulate a validation error.
-        String documentReference = "xwiki:space.</div>page";
-        Object[] args = { documentReference };
+        Object[] args = { DOCUMENT_REFERENCE };
         XWikiException invalidNameException = new XWikiException(XWikiException.MODULE_XWIKI_STORE,
             XWikiException.ERROR_XWIKI_APP_DOCUMENT_NAME_INVALID,
             "Cannot create document {0} because its name does not respect the name strategy of the wiki.", null,
             args);
-        this.velocityManager.getVelocityContext().put("createException", invalidNameException);
-        this.velocityManager.getVelocityContext().put("invalidNameReference", documentReference);
+        this.velocityManager.getVelocityContext().put(CREATE_EXCEPTION_VELOCITY_KEY, invalidNameException);
+        this.velocityManager.getVelocityContext().put("invalidNameReference", DOCUMENT_REFERENCE);
+
+        // Render the template.
+        Document document = Jsoup.parse(this.templateManager.render(CREATE_INLINE_VM));
+        Element errormessage = document.getElementsByClass(ERROR_MESSAGE_CLASS).first();
+        assertNotNull(errormessage);
+        String expectedMessage = String.format("entitynamevalidation.create.invalidname [%s]", DOCUMENT_REFERENCE);
+        assertEquals(expectedMessage, errormessage.text());
+    }
+
+    /**
+     * Test that when there is an exception about the document already existing, the name is correctly escaped.
+     */
+    @Test
+    void testDocumentAlreadyExistsError() throws Exception
+    {
+        // Set "createException" to an XWikiException to simulate a document exists already error.
+        String urlToDocument = "space/%3C%2Fdiv%3Epage";
+        Object[] args = { DOCUMENT_REFERENCE };
+        XWikiException documentAlreadyExistsException = new XWikiException(XWikiException.MODULE_XWIKI_STORE,
+            XWikiException.ERROR_XWIKI_APP_DOCUMENT_NOT_EMPTY,
+            "Cannot create document {0} because it already has content", null, args);
+        this.velocityManager.getVelocityContext().put(CREATE_EXCEPTION_VELOCITY_KEY, documentAlreadyExistsException);
+        this.velocityManager.getVelocityContext().put("existingDocumentReference", DOCUMENT_REFERENCE);
 
         // Render the template.
         Document document = Jsoup.parse(this.templateManager.render(CREATE_INLINE_VM));
-        Element errormessage = document.getElementsByClass("errormessage").first();
+        Element errormessage = document.getElementsByClass(ERROR_MESSAGE_CLASS).first();
         assertNotNull(errormessage);
-        String expectedMessage = String.format("entitynamevalidation.create.invalidname [%s]", documentReference);
+        String viewURL = String.format("/xwiki/bin/view/%s", urlToDocument);
+        String editURL = String.format("/xwiki/bin/edit/%s", urlToDocument);
+        String expectedMessage = String.format("core.create.page.error.docalreadyexists [%s, %s, %s]",
+            DOCUMENT_REFERENCE, viewURL, editURL);
         assertEquals(expectedMessage, errormessage.text());
     }
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-93gh-jgjj-r929ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-45137ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/ed8ec747967f8a16434806e727a57214a8843581ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-93gh-jgjj-r929ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-20961ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000