// For flags

CVE-2023-37911

org.xwiki.platform:xwiki-platform-oldcore may leak data through deleted and re-created documents

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

3
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track*
*SSVC
Descriptions

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of the deleted document. Such a situation might arise when rights were added to the deleted document. This can be exploited through the diff feature and, partially, through the REST API by using versions such as `deleted:1` (where the number counts the deletions in the wiki and is thus guessable). Given sufficient rights, the attacker can also re-create the deleted document, thus extending the scope to any deleted document as long as the attacker has edit right in the location of the deleted document. This vulnerability has been patched in XWiki 14.10.8 and 15.3 RC1 by properly checking rights when deleted revisions of a document are accessed. The only workaround is to regularly clean deleted documents to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually (and not, e.g., by being placed in a protected space) or deleting a protected space as a whole.

XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. A partir de la versión 9.4-rc-1 y anteriores a las versiones 14.10.8 y 15.3-rc-1, cuando un documento se elimina y se vuelve a crear, es posible que los usuarios con derecho de visualización en el documento recreado pero no en el documento eliminado para ver el contenido del documento eliminado. Esta situación podría surgir cuando se agregaron derechos al documento eliminado. Esto se puede explotar a través de la función de diferenciación y, parcialmente, a través de la API REST mediante el uso de versiones como `deleted:1` (donde el número cuenta las eliminaciones en la wiki y, por lo tanto, se puede adivinar). Con derechos suficientes, el atacante también puede volver a crear el documento eliminado, ampliando así el alcance a cualquier documento eliminado siempre que el atacante tenga derecho de edición en la ubicación del documento eliminado. Esta vulnerabilidad se ha solucionado en XWiki 14.10.8 y 15.3 RC1 comprobando correctamente los derechos cuando se accede a revisiones eliminadas de un documento. El único workaround es limpiar periódicamente los documentos eliminados para minimizar la posible exposición. Se debe tener especial cuidado al eliminar documentos confidenciales que están protegidos individualmente (y no, por ejemplo, al colocarlos en un espacio protegido) o al eliminar un espacio protegido en su totalidad.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Track*
Exploitation
Poc
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2023-07-10 CVE Reserved
  • 2023-10-25 CVE Published
  • 2024-09-17 CVE Updated
  • 2024-09-17 First Exploit
  • 2024-10-31 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-668: Exposure of Resource to Wrong Sphere
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Xwiki
Search vendor "Xwiki"
Xwiki
Search vendor "Xwiki" for product "Xwiki"
> 9.4 <= 14.10.8
Search vendor "Xwiki" for product "Xwiki" and version " > 9.4 <= 14.10.8"
-
Affected
Xwiki
Search vendor "Xwiki"
Xwiki
Search vendor "Xwiki" for product "Xwiki"
9.4
Search vendor "Xwiki" for product "Xwiki" and version "9.4"
rc1
Affected