CVE-2023-45136 — AI Deep Analysis Summary

🚨 **Essence**: Reflected XSS in XWiki Platform. 📉 **Consequences**: Attackers inject malicious scripts via document name validation. Victims executing the link suffer arbitrary action execution under their own rights.

🛡️ **Root Cause**: CWE-79 (Cross-site Scripting). 💥 **Flaw**: Improper neutralization of user input during document name validation when specific name strategies are enabled.

📦 **Affected**: XWiki Platform. 📅 **Versions**: 12.0-rc-1 through 12.10.11 AND 15.0 through 15.5-rc-1. 🏢 **Vendor**: XWiki Foundation.

💣 **Hackers Can**: Execute arbitrary JavaScript actions. 🎭 **Privileges**: Act with the **victim user's rights**. 📂 **Data**: Potential access to sensitive wiki content or configuration based on user permissions.

🔓 **Threshold**: Medium. 🔑 **Auth**: No authentication required for the vulnerability itself. 🖱️ **Config**: Requires User Interaction (UI:R) to click a malicious link.…

🔍 **Public Exp?**: Yes. 📜 **PoC**: Available via Nuclei templates (ProjectDiscovery). 🌐 **Link**: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-45136.yaml

🔎 **Self-Check**: Scan for XWiki instances. 🧪 **Feature**: Check if 'Name Strategy' validation is enabled. 🛠️ **Tool**: Use Nuclei with the specific CVE template to detect the reflection point.

✅ **Fixed**: Yes. 🩹 **Patch**: Update to **12.10.12+** or **15.5-rc-1+**. 🔗 **Commit**: ba56fda175156dd35035f2b8c86cbd8ef1f90c2e. 📢 **Advisory**: GHSA-qcj9-gcpg-4w2w.

🚧 **No Patch?**: Disable the specific **Name Strategy** for document name validation. 🛑 **Mitigation**: Ensure the feature is turned off if not strictly needed. This prevents the input vector from being triggered.

⚡ **Urgency**: High Priority. 🚨 **Reason**: CVSS Score is High (C:H, I:H, A:H). 📉 **Impact**: Full compromise of user context. 🏃 **Action**: Patch immediately or disable the vulnerable configuration.