XWiki Platform Async Macro Vulnerability Allows Unauthorized Access

CVECVE-2023-26471
CVSScvssV3_1: 10
SourceCVE-2023-26471

XWiki Platform is an open source wiki software that allows collaboration on documents. It was found to have a vulnerability in its async macro feature.

The async macro is supposed to run wiki content with restricted permissions to prevent execution of dangerous code. However, from version 11.6 to 14.8, it did not properly apply these restrictions.

This meant that any user with permission to comment could use the async macro to run wiki code with full administrative privileges, allowing them to access and modify data without authorization. An attacker could exploit this to view or alter private documents.

The vulnerability has been fixed in XWiki versions 14.9, 14.4.6 and 13.10.10. If you use an earlier version, you are advised to update immediately. Administrators should also audit logs and documents for any changes made using this vulnerability.

It’s a reminder that even small features can introduce big risks if not implemented securely. Keep software updated and review permissions regularly to catch and address issues before attackers can exploit them. Taking basic steps like applying patches promptly and limiting account access helps secure systems from unauthorized access.

References