CVE-2023-35156
23.06.2023, 19:15
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Users are able to forge an URL with a payload allowing to inject Javascript in the page (XSS). It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: > xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alert(document.domain). This vulnerability exists since XWiki 6.0-rc-1. The vulnerability has been patched in XWiki 14.10.6 and 15.1. Note that a partial patch has been provided in 14.10.5 but wasn't enough to entirely fix the vulnerability.
| Vendor | Product | Version |
|---|---|---|
| xwiki | xwiki | 6.0.1 ≤ 𝑥 < 14.10.6 |
| xwiki | xwiki | 6.0:milestone1 |
| xwiki | xwiki | 6.0:milestone2 |
| xwiki | xwiki | 15.0 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-87 - Improper Neutralization of Alternate XSS SyntaxThe software does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
References