CVE-2023-48240: 
Java vulnerability analysis and mitigation

The vulnerability (CVE-2023-48240) affects XWiki Platform, a generic wiki platform, and was discovered in version 11.10.1 through versions prior to 14.10.15, 15.5.1, and 15.6. The vulnerability relates to the platform's rendered diff functionality, which embeds images for content comparison. The issue was disclosed on November 20, 2023, and has been patched in versions 14.10.15, 15.5.1, and 15.6 (GitHub Advisory).

The vulnerability stems from XWiki's rendered diff functionality, which requests embedded images on the server side, including those from external domains. These requests include all cookies from the original request to handle images with restricted view rights. The vulnerability has received a CVSS v3.1 base score of 9.0 (Critical) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The issue is classified under multiple CWE categories including CWE-918 (Server-Side Request Forgery), CWE-281 (Improper Preservation of Permissions), and CWE-201 (Insertion of Sensitive Information Into Sent Data) (NVD).

The vulnerability allows attackers to steal login and session cookies, enabling impersonation of users viewing the diff. Additionally, it facilitates server-side request forgery attacks, as the result of any successful request is returned in the image's source. The vulnerability also enables viewing of protected content, as successfully cached resources become available to all users once cached by a user with appropriate access rights (GitHub Advisory, XWIKI Issue).

The vulnerability has been patched in XWiki versions 14.10.15, 15.5.1, and 15.6. The fix includes restricting the rendered diff to only download images from trusted domains and sending cookies only when the image's domain matches the requested domain. The cache has been modified to be user-specific. As a workaround for unpatched systems, administrators can disable the image embedding feature by deleting xwiki-platform-diff-xml-.jar in WEB-INF/lib/ (GitHub Advisory).