CVE-2023-29506

XWiki Commons are technical libraries common to several other top level XWiki projects. It was possible to inject some code using the URL of authenticated endpoints. This problem has been patched on XWiki 13.10.11, 14.4.7 and 14.10.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
GitHub_MCNA
5.4 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
VendorProductVersion
xwikixwiki
13.10.8 ≤
𝑥
< 13.10.11
xwikixwiki
14.4.3 ≤
𝑥
< 14.4.7
xwikixwiki
14.6
xwikixwiki
14.10:rc1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2
https://jira.xwiki.org/browse/XWIKI-20335
https://github.com/xwiki/xwiki-platform/commit/1943ea26c967ef868fb5f67c487d98d97cba0380
https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-jjm5-5v9v-7hx2
https://jira.xwiki.org/browse/XWIKI-20335