CVE-2023-37277: XWiki Platform is a generic wiki platform offering runtime s..
Jul 10, 2023
Jul 18, 2023
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The REST API allows executing all actions via POST requests and accepts `text/plain`, `multipart/form-data` or `application/www-form-urlencoded` as content types which can be sent via regular HTML forms, thus allowing cross-site request forgery. With the interaction of a user with programming rights, this allows remote code execution through script macros and thus impacts the integrity, availability and confidentiality of the whole XWiki installation. For regular cookie-based authentication, the vulnerability is mitigated by SameSite cookie restrictions but as of March 2023, these are not enabled by default in Firefox and Safari. The vulnerability has been patched in XWiki 14.10.8 and 15.2 by requiring a CSRF token header for certain request types that are susceptible to CSRF attacks.
CVSS base metrics
Learn from academy
What is API?
Types of APIs
GraphQL vs REST
REST vs SOAP
GET vs POST
PUT vs POST
GraphQL Authentication and Authorization
Swagger for API Documentation
Explore more from Akto
Be updated about everything related to API Security, new API vulnerabilities, industry news and product updates.
Discover and find tests from Akto's 100+ API Security test library. Choose your template or add a new template to start your API Security testing.
Check out Akto's product documentation for all information related to features and how to use them.