CVE-2023-29201

2023-04-1515:15:08

CWE-79

[email protected]

web.nvd.nist.gov

266

xwiki

html cleaner

xss

javascript injection

cross-site scripting

cve-2023-29201

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

9.1 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.4%

JSON

XWiki Commons are technical libraries common to several other top level XWiki projects. The “restricted” mode of the HTML cleaner in XWiki, introduced in version 4.2-milestone-1, only escaped <script> and <style>-tags but neither attributes that can be used to inject scripts nor other dangerous HTML tags like <iframe>. As a consequence, any code relying on this “restricted” mode for security is vulnerable to JavaScript injection (“cross-site scripting”/XSS). When a privileged user with programming rights visits such a comment in XWiki, the malicious JavaScript code is executed in the context of the user session. This allows server-side code execution with programming rights, impacting the confidentiality, integrity and availability of the XWiki instance. This problem has been patched in XWiki 14.6 RC1 with the introduction of a filter with allowed HTML elements and attributes that is enabled in restricted mode. There are no known workarounds apart from upgrading to a version including the fix.

Affected configurations

Vulners

NVD

Node

xwikicommonsRange4.2-milestone-1–14.6-rc-1

VendorProductVersionCPE
xwikicommons*cpe:2.3:a:xwiki:commons:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	commons	*	cpe:2.3:a:xwiki:commons::::::::

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-commons",
    "versions": [
      {
        "version": ">= 4.2-milestone-1, < 14.6-rc-1",
        "status": "affected"
      }
    ]
  }
]