CVE-2023-45138 : Security Advisory and Response
Learn about CVE-2023-45138 affecting xwiki-contrib/application-changerequest versions >= 0.11, < 1.9.2. Take immediate actions to mitigate this critical vulnerability.
A critical vulnerability has been identified in the Change Request Application, allowing for XSS and remote code execution through the change request title.
Understanding CVE-2023-45138
This CVE affects the 'xwiki-contrib/application-changerequest' software, specifically versions greater than or equal to 0.11 and less than 1.9.2. It enables users without specific rights to inject scripts and execute remote code by manipulating the title during the creation of a new Change Request.
What is CVE-2023-45138?
The Change Request Application enables users to request modifications on a wiki without directly publishing the changes. However, versions 0.11 to 1.9.2 are susceptible to a critical vulnerability that allows unauthorized users to perform script injections and remote code execution through the change request title. This flaw is particularly severe as the application is designed for use by users without specific rights to the wiki.
The Impact of CVE-2023-45138
The impact of this vulnerability is rated as critical, with a CVSS v3.1 base score of 10. It poses a high risk to confidentiality, integrity, and availability, with no privileges required for exploitation and no user interaction necessary.
Technical Details of CVE-2023-45138
The vulnerability arises due to improper neutralization of input during web page generation, categorized under CWE-79. The attack complexity is low, and the attack vector is through the network.
Vulnerability Description
The flaw allows users without specific rights to execute remote code by inserting malicious code in the Change Request title. Versions between 0.11 and 1.9.2 are affected, with a fix implemented from version 1.9.2 onwards.
Affected Systems and Versions
Vendor: xwiki-contrib Product: application-changerequest Affected Versions: >= 0.11, < 1.9.2
Exploitation Mechanism
Attackers can exploit this vulnerability by creating a new Change Request and manipulating the title field to inject malicious scripts, leading to remote code execution.
Mitigation and Prevention
It is crucial to take immediate steps to address and prevent the exploitation of CVE-2023-45138.
Immediate Steps to Take
- Update to the latest version of Change Request (1.9.2) to fix the vulnerability.
- If upgrading is not immediately possible, consider editing the document
ChangeRequest.Code.ChangeRequestSheetLong-Term Security Practices
- Regularly update software to the latest versions to patch known vulnerabilities.
- Enforce strict input validation to prevent script injections and code execution.
Patching and Updates
Ensure timely installation of security patches and updates to safeguard against potential threats and vulnerabilities.