Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Critical
Fix Version/s: 17.9.0-rc-1, 17.4.6, 16.10.13
Affects Version/s: None
Component/s: CKEditor
Labels:
- security
Environment:
Docker

Tests:

Integration
Difficulty:
Unknown
Documentation:
https://extensions.xwiki.org/xwiki/bin/view/Extension/URL%20API#HConfiguration-1
Documentation in Release Notes:
https://www.xwiki.org/xwiki/bin/view/ReleaseNotes/Data/XWiki/17.9.0RC1/Entry006/
Similar issues:

Description

About the Vulnerability

This vulnerability is a CSS injection issue that allows an attacker to inject arbitrary styles into the rendered HTML of the page via a macro (e.g. warning) in the XWiki platform. Specifically, the injected CSS is not properly sanitised, allowing full control over layout, positioning, and visual behaviour of elements.

By injecting carefully crafted inline styles within a valid macro wrapper, the attacker can render a full-page invisible link that redirects users to an attacker-controlled site when clicked, without requiring JavaScript or interaction beyond a normal click anywhere on the page.

This was all tested and working within Xwiki 16.10.10.

Walkthrough of the Vulnerability

The vulnerable field is a macro-enabled field such as {{warning}}, which accepts HTML-like content.

An attacker crafts a payload that injects a <div> with a style attribute using position: fixed;, width: 100vw; height: 100vh;, and opacity: 0; to cover the entire viewport invisibly.

Inside that div, a <a> tag is used to link to a malicious external site. The entire page becomes one large clickable area.

Once a user clicks anywhere on the page, they are taken to the attacker's site without any visual indication or warning.

Exploit Code:

<div class="box" style="position:fixed;top:0;left:0;width:100vw;height:100vh;opacity:0;z-index:9999;">
<a href="https://attacker-site.com" style="display:block;width:100vw;height:100vh;"></a>
</div>

This payload can be URL-encoded and embedded inside a macro like {{warning}} or a comment block depending on the context allowed by the XWiki instance.

Impact

This vulnerability enables a range of deceptive interaction attacks, including:

Forced navigation: Users are silently redirected when clicking anywhere on the page.

UI Redress (Clickjacking-style): Attackers can overlay fake UI elements (buttons, forms, links) and direct users to malicious pages.

Phishing support: Can be used in social engineering campaigns by chaining with open redirects or branding imitation.

Bypasses CSP & JavaScript restrictions: Because it relies solely on CSS/HTML layout control, it often bypasses common security headers (except a strict Content Security Policy that blocks inline styles or limits style-src).

While there is no JavaScript execution, the ability to invisibly hijack user interaction and initiate off-site navigation gives it moderate to high security relevance.

CVSS3.1 - 6.1

AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

Attribution

Tomas Keech - Sentrium Security Ltd

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

PEN-POL001 - Responsible Disclosure Policy.pdf
1.67 MB
27/Aug/25 16:51

Issue Links

links to

Security advisory

Activity

People

Assignee:: Simon Urli

Reporter:: tomas keech

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/Aug/25 09:56

Updated:: Yesterday 14:44

Resolved:: 15/Oct/25 14:17

Date of First Response:: 06/Aug/25 11:49 AM