CVE-2023-37911: XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to ver...

Description

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of the deleted document. Such a situation might arise when rights were added to the deleted document. This can be exploited through the diff feature and, partially, through the REST API by using versions such as `deleted:1` (where the number counts the deletions in the wiki and is thus guessable). Given sufficient rights, the attacker can also re-create the deleted document, thus extending the scope to any deleted document as long as the attacker has edit right in the location of the deleted document. This vulnerability has been patched in XWiki 14.10.8 and 15.3 RC1 by properly checking rights when deleted revisions of a document are accessed. The only workaround is to regularly clean deleted documents to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually (and not, e.g., by being placed in a protected space) or deleting a protected space as a whole.

Metrics

CVSS 3.1

6.5/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.75%

50.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Xwiki	Xwiki	> 9.4, <= 14.10.8	—
Xwiki	Xwiki	9.4	Rc1

References

https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpagesProduct
https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523fPatch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33Patch, Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20684Exploit, Issue Tracking, Patch, Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20685Exploit, Issue Tracking, Patch, Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20817Exploit, Issue Tracking, Patch, Vendor Advisory
https://extensions.xwiki.org/xwiki/bin/view/Extension/Index%20Application#HPermanentlydeleteallpagesProduct
https://github.com/xwiki/xwiki-platform/commit/f471f2a392aeeb9e51d59fdfe1d76fccf532523fPatch
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gh64-qxh5-4m33Patch, Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20684Exploit, Issue Tracking, Patch, Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20685Exploit, Issue Tracking, Patch, Vendor Advisory
https://jira.xwiki.org/browse/XWIKI-20817Exploit, Issue Tracking, Patch, Vendor Advisory

Timeline

Published: Oct 25, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-37911?

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 9.4-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, when a document has been deleted and re-created, it is possible for users with view right on the re-created document but not on the deleted document to view the contents of the deleted document. Such a situation might arise when rights were added to the deleted document. This can be exploited through the diff feature and, partially, through the REST API by using versions such as `deleted:1` (where the number counts the deletions in the wiki and is thus guessable). Given sufficient rights, the attacker can also re-create the deleted document, thus extending the scope to any deleted document as long as the attacker has edit right in the location of the deleted document. This vulnerability has been patched in XWiki 14.10.8 and 15.3 RC1 by properly checking rights when deleted revisions of a document are accessed. The only workaround is to regularly clean deleted documents to minimize the potential exposure. Extra care should be taken when deleting sensitive documents that are protected individually (and not, e.g., by being placed in a protected space) or deleting a protected space as a whole.

How severe is CVE-2023-37911?

CVE-2023-37911 has a CVSS score of 6.5/10 (MEDIUM severity). The EPSS model estimates a 0.75% probability of exploitation in the next 30 days.

How do I fix CVE-2023-37911?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.