Main Vulnerability Database Vulnerabilities #VU129920

Server-Side Request Forgery (SSRF) in XWiki platform - CVE-2023-48240

Published: November 20, 2023 / Updated: May 5, 2026

Vulnerability identifier: #VU129920

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2023-48240

CWE-ID: CWE-918

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
XWiki platform

Software vendor:
XWiki

Description

The vulnerability allows a remote user to steal login and session cookies, perform server-side request forgery, and disclose protected content.

The vulnerability exists due to insertion of sensitive information into sent data and improper request destination restriction in rendered diff image fetching when processing rendered diffs with embedded external images. A remote user can embed or reference a crafted rendered diff so that the server requests attacker-controlled or protected resources to steal login and session cookies, perform server-side request forgery, and disclose protected content.

User interaction is required to view the diff or an image that references the rendered diff, and cached successful requests can be returned for other users.

Remediation

Install security update from vendor's website.

Server-Side Request Forgery (SSRF) in XWiki platform - CVE-2023-48240

Description

Remediation

External links

Please verify you're human