High severityNVD Advisory· Published Nov 7, 2023· Updated Sep 12, 2024
Code execution via the edit action in XWiki platform
CVE-2023-46243
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. Users are advised to update. There are no known workarounds for this issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 15.0, < 15.2-rc-1 | 15.2-rc-1 |
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 1.0, < 14.10.6 | 14.10.6 |
Affected products
1- Range: >= 1.0, < 14.10.6
Patches
1a0e6ca083b36XWIKI-20385: Improve author handling in the edit action
3 files changed · +199 −3
xwiki-platform-core/xwiki-platform-oldcore/src/main/java/com/xpn/xwiki/web/EditAction.java+23 −0 modified@@ -19,6 +19,7 @@ */ package com.xpn.xwiki.web; +import javax.inject.Inject; import javax.inject.Named; import javax.inject.Singleton; import javax.script.ScriptContext; @@ -28,7 +29,10 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import org.xwiki.component.annotation.Component; +import org.xwiki.model.reference.DocumentReference; import org.xwiki.rendering.syntax.Syntax; +import org.xwiki.user.UserReference; +import org.xwiki.user.UserReferenceResolver; import com.xpn.xwiki.XWikiContext; import com.xpn.xwiki.XWikiException; @@ -50,6 +54,10 @@ public class EditAction extends XWikiAction */ private static final Logger LOGGER = LoggerFactory.getLogger(EditAction.class); + @Inject + @Named("document") + private UserReferenceResolver<DocumentReference> documentReferenceUserReferenceResolver; + /** * Default constructor. */ @@ -108,6 +116,21 @@ protected XWikiDocument prepareEditedDocument(XWikiContext context) throws XWiki updateDocumentTitleAndContentFromRequest(editedDocument, context); editedDocument.readAddedUpdatedAndRemovedObjectsFromForm(editForm, context); + // If the metadata is modified, modify the effective metadata author + if (editedDocument.isMetaDataDirty()) { + UserReference userReference = + this.documentReferenceUserReferenceResolver.resolve(context.getUserReference()); + editedDocument.getAuthors().setEffectiveMetadataAuthor(userReference); + editedDocument.getAuthors().setOriginalMetadataAuthor(userReference); + } + + // If the content is modified, modify the content author + if (editedDocument.isContentDirty()) { + UserReference userReference = + this.documentReferenceUserReferenceResolver.resolve(context.getUserReference()); + editedDocument.getAuthors().setContentAuthor(userReference); + } + // Set the current user as creator, author and contentAuthor when the edited document is newly created to avoid // using XWikiGuest instead (because those fields were not previously initialized). if (editedDocument.isNew()) {
xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/test/MockitoOldcore.java+6 −3 modified@@ -55,6 +55,7 @@ import org.xwiki.context.ExecutionContextManager; import org.xwiki.environment.Environment; import org.xwiki.environment.internal.ServletEnvironment; +import org.xwiki.model.document.DocumentAuthors; import org.xwiki.model.internal.reference.EntityReferenceFactory; import org.xwiki.model.reference.DocumentReference; import org.xwiki.model.reference.DocumentReferenceResolver; @@ -792,10 +793,12 @@ public Void answer(InvocationOnMock invocation) throws Throwable document.setMinorEdit(minorEdit); if (document.isContentDirty() || document.isMetaDataDirty()) { - document.setDate(new Date()); + Date ndate = new Date(); + document.setDate(ndate); if (document.isContentDirty()) { - document.setContentUpdateDate(new Date()); - document.setContentAuthorReference(document.getAuthorReference()); + document.setContentUpdateDate(ndate); + DocumentAuthors authors = document.getAuthors(); + authors.setContentAuthor(authors.getEffectiveMetadataAuthor()); } document.incrementVersion();
xwiki-platform-core/xwiki-platform-oldcore/src/test/java/com/xpn/xwiki/web/EditActionTest.java+170 −0 added@@ -0,0 +1,170 @@ +/* + * See the NOTICE file distributed with this work for additional + * information regarding copyright ownership. + * + * This is free software; you can redistribute it and/or modify it + * under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This software is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this software; if not, write to the Free + * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA + * 02110-1301 USA, or see the FSF site: http://www.fsf.org. + */ +package com.xpn.xwiki.web; + +import javax.inject.Named; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.mockito.Mock; +import org.xwiki.model.reference.DocumentReference; +import org.xwiki.store.TemporaryAttachmentSessionsManager; +import org.xwiki.test.junit5.mockito.InjectMockComponents; +import org.xwiki.test.junit5.mockito.MockComponent; +import org.xwiki.user.UserReference; +import org.xwiki.user.UserReferenceResolver; +import org.xwiki.user.UserReferenceSerializer; + +import com.xpn.xwiki.XWikiException; +import com.xpn.xwiki.doc.XWikiDocument; +import com.xpn.xwiki.test.MockitoOldcore; +import com.xpn.xwiki.test.junit5.mockito.InjectMockitoOldcore; +import com.xpn.xwiki.test.junit5.mockito.OldcoreTest; +import com.xpn.xwiki.test.reference.ReferenceComponentList; + +import static org.junit.jupiter.api.Assertions.assertSame; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +/** + * Validate {@link EditAction}. + * + * @version $Id$ + */ +@OldcoreTest +@ReferenceComponentList +public class EditActionTest +{ + private static final DocumentReference USER_DOCUMENT_REFERENCE = new DocumentReference("wiki", "XWiki", "user"); + + private static final UserReference USER_REFERENCE = mock(UserReference.class); + + private static final UserReference OTHERUSER_REFERENCE = mock(UserReference.class); + + @InjectMockComponents + private EditAction action; + + @InjectMockitoOldcore + private MockitoOldcore oldcore; + + @MockComponent + private TemporaryAttachmentSessionsManager temporaryAttachmentSessionsManager; + + @MockComponent + @Named("document") + private UserReferenceResolver<DocumentReference> documentReferenceUserReferenceResolver; + + @MockComponent + @Named("document") + private UserReferenceSerializer<DocumentReference> documentReferenceUserReferenceSerializer; + + @Mock + private XWikiRequest request; + + @BeforeEach + public void beforeEach() + { + when(this.documentReferenceUserReferenceResolver.resolve(USER_DOCUMENT_REFERENCE)).thenReturn(USER_REFERENCE); + when(this.documentReferenceUserReferenceSerializer.serialize(USER_REFERENCE)).thenReturn(USER_DOCUMENT_REFERENCE); + + this.oldcore.getXWikiContext().setUserReference(USER_DOCUMENT_REFERENCE); + } + + private String initAndRenderAction() throws XWikiException + { + EditForm form = new EditForm(); + form.reset(this.request); + + this.oldcore.getXWikiContext().setForm(form); + + return this.action.render(this.oldcore.getXWikiContext()); + } + + @Test + void documentAuthorsWhenDocumentDoesNotExist() throws XWikiException + { + XWikiDocument document = oldcore.getSpyXWiki().getDocument(new DocumentReference("wiki", "space", "page"), + this.oldcore.getXWikiContext()); + this.oldcore.getXWikiContext().setDoc(document); + + initAndRenderAction(); + + document = this.oldcore.getXWikiContext().getDoc(); + + assertSame(USER_REFERENCE, document.getAuthors().getContentAuthor()); + assertSame(USER_REFERENCE, document.getAuthors().getCreator()); + assertSame(USER_REFERENCE, document.getAuthors().getEffectiveMetadataAuthor()); + assertSame(USER_REFERENCE, document.getAuthors().getOriginalMetadataAuthor()); + } + + @Test + void documentAuthorsWhenDocumentExist() throws XWikiException + { + XWikiDocument document = this.oldcore.getSpyXWiki().getDocument(new DocumentReference("wiki", "space", "page"), + this.oldcore.getXWikiContext()); + document.getAuthors().setCreator(OTHERUSER_REFERENCE); + document.getAuthors().setContentAuthor(OTHERUSER_REFERENCE); + document.getAuthors().setEffectiveMetadataAuthor(OTHERUSER_REFERENCE); + document.getAuthors().setOriginalMetadataAuthor(OTHERUSER_REFERENCE); + this.oldcore.getSpyXWiki().saveDocument(document, this.oldcore.getXWikiContext()); + + document = this.oldcore.getSpyXWiki().getDocument(new DocumentReference("wiki", "space", "page"), + this.oldcore.getXWikiContext()); + this.oldcore.getXWikiContext().setDoc(document); + this.oldcore.getXWikiContext().put("tdoc", document); + + initAndRenderAction(); + + document = this.oldcore.getXWikiContext().getDoc(); + + assertSame(OTHERUSER_REFERENCE, document.getAuthors().getContentAuthor()); + assertSame(OTHERUSER_REFERENCE, document.getAuthors().getCreator()); + assertSame(OTHERUSER_REFERENCE, document.getAuthors().getEffectiveMetadataAuthor()); + assertSame(OTHERUSER_REFERENCE, document.getAuthors().getOriginalMetadataAuthor()); + } + + @Test + void documentAuthorsWhenDocumentExistAndContentIsModified() throws XWikiException + { + XWikiDocument document = this.oldcore.getSpyXWiki().getDocument(new DocumentReference("wiki", "space", "page"), + this.oldcore.getXWikiContext()); + document.getAuthors().setCreator(OTHERUSER_REFERENCE); + document.getAuthors().setContentAuthor(OTHERUSER_REFERENCE); + document.getAuthors().setEffectiveMetadataAuthor(OTHERUSER_REFERENCE); + document.getAuthors().setOriginalMetadataAuthor(OTHERUSER_REFERENCE); + this.oldcore.getSpyXWiki().saveDocument(document, this.oldcore.getXWikiContext()); + + document = this.oldcore.getSpyXWiki().getDocument(new DocumentReference("wiki", "space", "page"), + this.oldcore.getXWikiContext()); + this.oldcore.getXWikiContext().setDoc(document); + this.oldcore.getXWikiContext().put("tdoc", document); + + when(this.request.getParameter("content")).thenReturn("modified content"); + + initAndRenderAction(); + + document = this.oldcore.getXWikiContext().getDoc(); + + assertSame(USER_REFERENCE, document.getAuthors().getContentAuthor()); + assertSame(OTHERUSER_REFERENCE, document.getAuthors().getCreator()); + assertSame(OTHERUSER_REFERENCE, document.getAuthors().getEffectiveMetadataAuthor()); + assertSame(OTHERUSER_REFERENCE, document.getAuthors().getOriginalMetadataAuthor()); + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-g2qq-c5j9-5w5wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-46243ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4ghsax_refsource_MISCWEB
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5wghsax_refsource_CONFIRMWEB
- jira.xwiki.org/browse/XWIKI-20385ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.