Critical severityNVD Advisory· Published Dec 15, 2023· Updated May 7, 2025

XWiki Platform remote code execution/programming rights with configuration section from any user account

CVE-2023-50723

Description

XWiki Platform is a generic wiki platform. Starting in 2.3 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, anyone who can edit an arbitrary wiki page in an XWiki installation can gain programming right through several cases of missing escaping in the code for displaying sections in the administration interface. This impacts the confidentiality, integrity and availability of the whole XWiki installation. Normally, all users are allowed to edit their own user profile so this should be exploitable by all users of the XWiki instance. This has been fixed in XWiki 14.10.15, 15.5.2 and 15.7RC1. The patches can be manually applied to the XWiki.ConfigurableClassMacros and XWiki.ConfigurableClass pages.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-administration-uiMaven	>= 2.3, < 14.10.15	14.10.15
org.xwiki.platform:xwiki-platform-administration-uiMaven	>= 15.0-rc-1, < 15.5.2	15.5.2
org.xwiki.platform:xwiki-platform-administration-uiMaven	>= 15.6-rc-1, < 15.7-rc-1	15.7-rc-1

Affected products

Xwiki/Xwiki Platformv5
Range: >= 2.3, < 14.10.15

Patches

749f6aee1bfb

XWIKI-21122: Improve escaping of configuration section headings

https://github.com/xwiki/xwiki-platformMichael HamannAug 2, 2023via ghsa

commit

2 files changed · +31 −2

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml

+5 −2 modified

@@ -161,6 +161,9 @@ $xwiki.jsfx.use('js/xwiki/actionbuttons/actionButtons.js', true)
             {{warning}}{{translation key="xe.admin.configurable.cannotLockNoJavascript"/}}{{/warning}}
 
           &lt;/noscript&gt;
+        {{/html}}
+
+        {{html clean=false}}
           &lt;script&gt;
             document.observe("xwiki:dom:loaded", function() {
               XWiki.DocumentLock &amp;&amp; new XWiki.DocumentLock('$escapetool.javascript($app.prefixedFullName)').lock();
@@ -446,8 +449,8 @@ $xwiki.jsfx.use('js/xwiki/actionbuttons/actionButtons.js', true)
 
   ## Finally we display an error message if there are any applications which we were unable to view.
   #if($appsUserCannotView.size() &gt; 0)
-
-    {{error}}$services.localization.render('xe.admin.configurable.noViewAccessSomeApplications', [$appsUserCannotView]){{/error}}
+    {{error}}$services.localization.render('xe.admin.configurable.noViewAccessSomeApplications',
+      'xwiki/2.1', [$appsUserCannotView]){{/error}}
 
   #end
 #end## If we should be looking at the main administration page.

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java

+26 −0 modified

@@ -21,6 +21,7 @@
 
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 import org.jsoup.nodes.Document;
 import org.junit.jupiter.api.BeforeEach;
@@ -182,4 +183,29 @@ void checkScriptRight(boolean hasScript) throws Exception
         }
         assertEquals(expected, htmlPage.selectFirst("h2").text());
     }
+
+    @Test
+    void escapeNonViewableSections() throws Exception
+    {
+        // Create a new section document.
+        XWikiDocument mySectionDoc = new XWikiDocument(MY_SECTION);
+        this.xwiki.saveDocument(mySectionDoc, this.context);
+
+        when(this.oldcore.getMockRightService()
+            .hasAccessLevel(eq("view"), any(), eq("xwiki:" + MY_SECTION_SERIALIZED), any())).thenReturn(false);
+
+        // Make sure the section document is returned by the query.
+        when(this.query.execute()).thenReturn(List.of(MY_SECTION_SERIALIZED)).thenReturn(List.of());
+
+        DocumentReference docRef = new DocumentReference(WIKI_NAME, "\">{{/html}}{{noscript /}}", "WebHome");
+        XWikiDocument contextDoc = new XWikiDocument(docRef);
+        this.xwiki.saveDocument(contextDoc, this.context);
+        this.context.setDoc(contextDoc);
+
+        XWikiDocument doc = loadPage(CONFIGURABLE_CLASS);
+        Document htmlPage = renderHTMLPage(doc);
+        String errorMessage = Objects.requireNonNull(htmlPage.selectFirst("div.errormessage p")).text();
+        assertEquals(String.format("xe.admin.configurable.noViewAccessSomeApplications [[%s]]", MY_SECTION_SERIALIZED),
+            errorMessage);
+    }
 }

1157c1ecea39

XWIKI-21121: Improve handling of headings in configurable section

https://github.com/xwiki/xwiki-platformMichael HamannAug 2, 2023via ghsa

commit

3 files changed · +103 −5

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/pom.xml+26 −0 modified

@@ -118,6 +118,32 @@
       <type>test-jar</type>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-web-templates</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-security-authorization-script</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-user-default</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-user-default</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml

+7 −1 modified

@@ -206,7 +206,13 @@ $xwiki.jsfx.use('js/xwiki/actionbuttons/actionButtons.js', true)
             ## Can't use $configurableObj.display('heading', 'view', false) to have proper heading id (because of the html macro)
             ## FIXME: find a cleaner solution
             #set($void = $doc.dropPermissions())
-            == #evaluate($heading) ==
+            #if ($services.security.authorization.hasAccess("script",
+              $app.authors.effectiveMetadataAuthor, $app.documentReference) &amp;&amp; !$app.restricted)
+              #set($evaluatedHeading = "#evaluate($heading)")
+            #else
+              #set($evaluatedHeading = $heading)
+            #end
+            == $services.rendering.escape($evaluatedHeading, 'xwiki/2.1') ==
           #end
           ## Display code to execute
           #if($codeToExecute != '')

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java

+70 −4 modified

@@ -25,6 +25,8 @@
 import org.jsoup.nodes.Document;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
 import org.mockito.Mock;
 import org.xwiki.localization.macro.internal.TranslationMacro;
 import org.xwiki.model.reference.DocumentReference;
@@ -33,20 +35,28 @@
 import org.xwiki.rendering.RenderingScriptServiceComponentList;
 import org.xwiki.rendering.internal.configuration.DefaultRenderingConfigurationComponentList;
 import org.xwiki.rendering.internal.macro.message.ErrorMessageMacro;
+import org.xwiki.rendering.internal.macro.message.WarningMessageMacro;
 import org.xwiki.script.service.ScriptService;
-import org.xwiki.template.script.TemplateScriptService;
+import org.xwiki.security.authorization.Right;
+import org.xwiki.security.script.SecurityScriptServiceComponentList;
 import org.xwiki.test.annotation.ComponentList;
 import org.xwiki.test.page.HTML50ComponentList;
 import org.xwiki.test.page.PageTest;
 import org.xwiki.test.page.TestNoScriptMacro;
 import org.xwiki.test.page.XWikiSyntax21ComponentList;
+import org.xwiki.user.UserReferenceComponentList;
+import org.xwiki.user.internal.converter.DocumentUserReferenceConverter;
+import org.xwiki.user.internal.document.DocumentUserReference;
 
 import com.xpn.xwiki.doc.XWikiDocument;
+import com.xpn.xwiki.internal.model.reference.DocumentReferenceConverter;
+import com.xpn.xwiki.objects.BaseObject;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyInt;
 import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.when;
 
 /**
@@ -58,11 +68,15 @@
 @XWikiSyntax21ComponentList
 @RenderingScriptServiceComponentList
 @DefaultRenderingConfigurationComponentList
+@SecurityScriptServiceComponentList
+@UserReferenceComponentList
 @ComponentList({
     TestNoScriptMacro.class,
     TranslationMacro.class,
     ErrorMessageMacro.class,
-    TemplateScriptService.class
+    WarningMessageMacro.class,
+    DocumentUserReferenceConverter.class,
+    DocumentReferenceConverter.class
 })
 class ConfigurableClassPageTest extends PageTest
 {
@@ -77,9 +91,9 @@ class ConfigurableClassPageTest extends PageTest
         new DocumentReference(WIKI_NAME, SPACE_NAME, "ConfigurableClassMacros");
 
     private static final DocumentReference MY_SECTION =
-        new DocumentReference(WIKI_NAME, SPACE_NAME, "]]{{noscript /}}");
+        new DocumentReference(WIKI_NAME, SPACE_NAME, "]],{{noscript /}}");
 
-    private static final String MY_SECTION_SERIALIZED = "XWiki.]]{{noscript /}}";
+    private static final String MY_SECTION_SERIALIZED = "XWiki.]],{{noscript /}}";
 
     @Mock
     private QueryManagerScriptService queryService;
@@ -116,4 +130,56 @@ void escapeHeadingForError() throws Exception
         assertEquals(String.format("admin.customize %s:", MY_SECTION_SERIALIZED),
             htmlPage.selectFirst("h1").text());
     }
+
+    @Test
+    void escapeHeading() throws Exception
+    {
+        this.request.put("section", "other");
+        when(this.query.execute()).thenReturn(List.of(MY_SECTION_SERIALIZED)).thenReturn(List.of());
+        when(this.oldcore.getMockRightService()
+            .hasAccessLevel(eq("edit"), any(), any(), any())).thenReturn(true);
+
+        XWikiDocument mySectionDoc = new XWikiDocument(MY_SECTION);
+        BaseObject object = mySectionDoc.newXObject(CONFIGURABLE_CLASS, this.context);
+        object.setStringValue("displayInCategory", "other");
+        object.setStringValue("displayInSection", "other");
+        object.setStringValue("heading", "{{noscript /}}");
+        object.set("scope", "WIKI+ALL_SPACES", this.context);
+        this.xwiki.saveDocument(mySectionDoc, this.context);
+
+        Document htmlPage = renderHTMLPage(CONFIGURABLE_CLASS);
+        assertEquals("{{noscript /}}", htmlPage.selectFirst("h2").text());
+    }
+
+    @ParameterizedTest
+    @ValueSource(booleans = {true, false})
+    void checkScriptRight(boolean hasScript) throws Exception
+    {
+        this.request.put("section", "other");
+        when(this.query.execute()).thenReturn(List.of(MY_SECTION_SERIALIZED)).thenReturn(List.of());
+        when(this.oldcore.getMockRightService()
+            .hasAccessLevel(eq("edit"), any(), any(), any())).thenReturn(true);
+
+        XWikiDocument mySectionDoc = new XWikiDocument(MY_SECTION);
+        BaseObject object = mySectionDoc.newXObject(CONFIGURABLE_CLASS, this.context);
+        object.setStringValue("displayInCategory", "other");
+        object.setStringValue("displayInSection", "other");
+        String originalHeading = "$appName {{noscript /}}";
+        object.setStringValue("heading", originalHeading);
+        object.set("scope", "WIKI+ALL_SPACES", this.context);
+        DocumentReference userReference = new DocumentReference(WIKI_NAME, SPACE_NAME, "Admin");
+        mySectionDoc.getAuthors().setEffectiveMetadataAuthor(new DocumentUserReference(userReference, true));
+        this.xwiki.saveDocument(mySectionDoc, this.context);
+        when(this.oldcore.getMockAuthorizationManager().hasAccess(Right.SCRIPT,
+            userReference, mySectionDoc.getDocumentReference())).thenReturn(hasScript);
+
+        Document htmlPage = renderHTMLPage(CONFIGURABLE_CLASS);
+        String expected;
+        if (hasScript) {
+            expected = String.format("%s {{noscript /}}", MY_SECTION_SERIALIZED);
+        } else {
+            expected = originalHeading;
+        }
+        assertEquals(expected, htmlPage.selectFirst("h2").text());
+    }
 }

0f367aaae4e0

XWIKI-21194: Improve escaping of error message in ConfigurableClass

https://github.com/xwiki/xwiki-platformMichael HamannAug 1, 2023via ghsa

commit

1 file changed · +6 −1

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml

+6 −1 modified

@@ -241,7 +241,12 @@ $xwiki.jsfx.use('js/xwiki/actionbuttons/actionButtons.js', true)
                 #showHeading($appName, $headingShowing)
 
                 {{error}}
-                  {{translation key="xe.admin.configurable.noObjectOfConfigurationClassFound" parameters="$objClass.getName(), $app.getFullName()"/}}
+                  #set($escapedObjClassName =
+                    $services.rendering.escape($escapetool.java($objClass.getName()), 'xwiki/2.1'))
+                  #set($translationEscapedAppName =
+                    $services.rendering.escape($escapetool.java($app.getFullName()), 'xwiki/2.1'))
+                  {{translation key="xe.admin.configurable.noObjectOfConfigurationClassFound"
+                    parameters="~"$escapedObjClassName~", ~"$translationEscapedAppName~""/}}
                 {{/error}}
 
               #else

bd82be936c21

XWIKI-21122: Improve escaping of configuration section headings

https://github.com/xwiki/xwiki-platformMichael HamannJul 31, 2023via ghsa

commit

4 files changed · +138 −3

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/pom.xml+14 −0 modified

@@ -104,6 +104,20 @@
       <version>${commons.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-rendering-xwiki</artifactId>
+      <version>${project.version}</version>
+      <scope>test</scope>
+      <type>test-jar</type>
+    </dependency>
+    <dependency>
+      <groupId>org.xwiki.platform</groupId>
+      <artifactId>xwiki-platform-rendering-configuration-default</artifactId>
+      <version>${project.version}</version>
+      <type>test-jar</type>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
   <build>
     <plugins>

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClassMacros.xml

+4 −2 modified

@@ -34,7 +34,7 @@
   <title>$services.localization.render('xe.admin.configurable.macros.title')</title>
   <comment/>
   <minorEdit>false</minorEdit>
-  <syntaxId>xwiki/2.0</syntaxId>
+  <syntaxId>xwiki/2.1</syntaxId>
   <hidden>true</hidden>
   <content>{{velocity output="false"}}
 ## Constants:
@@ -325,8 +325,10 @@
 #macro(showHeading, $appName, $headingAlreadyShowing)
   #if(!$headingAlreadyShowing)
     #set($headingAlreadyShowing = true)
+    #set($escapedAppName = $services.rendering.escape($appName, 'xwiki/2.1'))
+    #set($doubleEscapedAppName = $services.rendering.escape($escapedAppName, 'xwiki/2.1'))
 
-    = {{translation key="admin.customize"/}} [[$appName&gt;&gt;$appName]]: =
+    = {{translation key="admin.customize"/}} [[$doubleEscapedAppName&gt;&gt;$escapedAppName]]: =
   #end
 #end

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/main/resources/XWiki/ConfigurableClass.xml

+1 −1 modified

@@ -34,7 +34,7 @@
   <title>$services.localization.render('xe.admin.configurable.title')</title>
   <comment/>
   <minorEdit>false</minorEdit>
-  <syntaxId>xwiki/2.0</syntaxId>
+  <syntaxId>xwiki/2.1</syntaxId>
   <hidden>true</hidden>
   <content>{{include reference="XWiki.ConfigurableClassMacros" /}}

xwiki-platform-core/xwiki-platform-administration/xwiki-platform-administration-ui/src/test/java/org/xwiki/administration/ConfigurableClassPageTest.java

+119 −0 added

@@ -0,0 +1,119 @@
+/*
+ * See the NOTICE file distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.xwiki.administration;
+
+import java.util.List;
+import java.util.Map;
+
+import org.jsoup.nodes.Document;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.mockito.Mock;
+import org.xwiki.localization.macro.internal.TranslationMacro;
+import org.xwiki.model.reference.DocumentReference;
+import org.xwiki.query.internal.ScriptQuery;
+import org.xwiki.query.script.QueryManagerScriptService;
+import org.xwiki.rendering.RenderingScriptServiceComponentList;
+import org.xwiki.rendering.internal.configuration.DefaultRenderingConfigurationComponentList;
+import org.xwiki.rendering.internal.macro.message.ErrorMessageMacro;
+import org.xwiki.script.service.ScriptService;
+import org.xwiki.template.script.TemplateScriptService;
+import org.xwiki.test.annotation.ComponentList;
+import org.xwiki.test.page.HTML50ComponentList;
+import org.xwiki.test.page.PageTest;
+import org.xwiki.test.page.TestNoScriptMacro;
+import org.xwiki.test.page.XWikiSyntax21ComponentList;
+
+import com.xpn.xwiki.doc.XWikiDocument;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.when;
+
+/**
+ * Page test of {@code XWiki.ConfigurableClass}.
+ *
+ * @version $Id$
+ */
+@HTML50ComponentList
+@XWikiSyntax21ComponentList
+@RenderingScriptServiceComponentList
+@DefaultRenderingConfigurationComponentList
+@ComponentList({
+    TestNoScriptMacro.class,
+    TranslationMacro.class,
+    ErrorMessageMacro.class,
+    TemplateScriptService.class
+})
+class ConfigurableClassPageTest extends PageTest
+{
+    private static final String WIKI_NAME = "xwiki";
+
+    private static final String SPACE_NAME = "XWiki";
+
+    private static final DocumentReference CONFIGURABLE_CLASS =
+        new DocumentReference(WIKI_NAME, SPACE_NAME, "ConfigurableClass");
+
+    private static final DocumentReference CONFIGURABLE_CLASS_MACROS =
+        new DocumentReference(WIKI_NAME, SPACE_NAME, "ConfigurableClassMacros");
+
+    private static final DocumentReference MY_SECTION =
+        new DocumentReference(WIKI_NAME, SPACE_NAME, "]]{{noscript /}}");
+
+    private static final String MY_SECTION_SERIALIZED = "XWiki.]]{{noscript /}}";
+
+    @Mock
+    private QueryManagerScriptService queryService;
+
+    @Mock
+    private ScriptQuery query;
+
+    @BeforeEach
+    void setUp() throws Exception
+    {
+        // Load the macros page so it can be included.
+        loadPage(CONFIGURABLE_CLASS_MACROS);
+
+        // Mock the query.
+        this.oldcore.getMocker().registerComponent(ScriptService.class, "query", this.queryService);
+        when(this.queryService.hql(anyString())).thenReturn(this.query);
+        when(this.query.addFilter(anyString())).thenReturn(this.query);
+        when(this.query.setLimit(anyInt())).thenReturn(this.query);
+        when(this.query.setOffset(anyInt())).thenReturn(this.query);
+        when(this.query.bindValues(any(Map.class))).thenReturn(this.query);
+        when(this.query.bindValues(any(List.class))).thenReturn(this.query);
+    }
+
+    @Test
+    void escapeHeadingForError() throws Exception
+    {
+        this.request.put("section", "other");
+        when(this.query.execute()).thenReturn(List.of(MY_SECTION_SERIALIZED)).thenReturn(List.of());
+
+        XWikiDocument mySectionDoc = new XWikiDocument(MY_SECTION);
+        this.xwiki.saveDocument(mySectionDoc, this.context);
+
+        Document htmlPage = renderHTMLPage(CONFIGURABLE_CLASS);
+        assertEquals(String.format("admin.customize %s:", MY_SECTION_SERIALIZED),
+            htmlPage.selectFirst("h1").text());
+    }
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-qj86-p74r-7wp5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-50723ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/0f367aaae4e0696f61cf5a67a75edd27d1d16db6ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/commit/1157c1ecea395aac7f64cd8a6f484b1225416dc7ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/commit/749f6aee1bfbcf191c3734ea0aa9eba3aa63240eghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/commit/bd82be936c21b65dee367d558e3050b9b6995713ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-qj86-p74r-7wp5ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-21121ghsax_refsource_MISCWEB
jira.xwiki.org/browse/XWIKI-21122ghsax_refsource_MISCWEB
jira.xwiki.org/browse/XWIKI-21194ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000