Remote code execution from login screen through unescaped URL parameter in OAuth Identity XWiki App
CVE-2023-45144

10CRITICAL

Key Information:

Vendor

Xwikisas

Status
Identity-oauth
Vendor
CVE Published:
16 October 2023

What is CVE-2023-45144?

The identity-oauth-ui package allows OAuth-based login for XWiki applications. A vulnerability exists where the identityOAuth parameters within the GET request can be exploited through cross-site scripting (XSS) and XWiki syntax injection. Attackers may leverage this flaw to execute arbitrary code remotely via the groovy macro, leading to potential risks for the confidentiality, integrity, and availability of XWiki installations. Users are strongly advised to update to Identity OAuth version 1.6, as no workarounds are available for this issue.

Affected Version(s)

identity-oauth >= 1.0, < 1.6

References

https://github.com/xwikisas/identity-oauth/security/advis...
x_refsource_CONFIRM
https://github.com/xwikisas/identity-oauth/commit/d805d31...
x_refsource_MISC
https://github.com/xwikisas/identity-oauth/commit/d805d31...
x_refsource_MISC

CVSS V3.1

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.