Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2023-32070
HistoryMay 10, 2023 - 6:15 p.m.

CVE-2023-32070

2023-05-1018:15:10
CWE-83
CWE-79
GitHub_M
web.nvd.nist.gov
24
xwiki
platform
14.6-rc-1
xss
cross-site scripting
security vulnerability
html rendering

CVSS3

9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

37.4%

JSON

XWiki Platform is a generic wiki platform. Prior to version 14.6-rc-1, HTML rendering didn’t check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. This has been patched in XWiki 14.6-rc-1. There are no known workarounds apart from upgrading to a fixed version.

Affected configurations

Nvd
Vulners
Node
xwikirenderingMatch3.0milestone_2
OR
xwikixwikiRange14.5
VendorProductVersionCPE
xwikirendering3.0cpe:2.3:a:xwiki:rendering:3.0:milestone_2:*:*:*:*:*:*
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-rendering",
    "versions": [
      {
        "version": "< 14.6-rc-1",
        "status": "affected"
      },
      {
        "version": "<= 3.0-milestone-2",
        "status": "affected"
      }
    ]
  }
]

Related

openvas 1
nvd 1
veracode 1
github 1
cvelist 1
prion 1
osv 4
openvas
openvas
XWiki 3.0-milestone-2 < 14.6-rc-1 XSS Vulnerability (GHSA-6gf5-c898-7rxp)
2023-08-18 00:00:00
nvd
nvd
CVE-2023-32070
2023-05-10 18:15:10
veracode
veracode
Cross-Site Scripting (XSS)
2023-05-15 01:40:00
github
github
Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
2023-05-11 20:37:30
cvelist
cvelist
CVE-2023-32070 Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
2023-05-10 17:18:06
prion
prion
Cross site scripting
2023-05-10 18:15:00
osv
osv
org.xwiki.rendering:xwiki-rendering-xml Improper Neutralization of Invalid Characters in Identifiers in Web Pages vulnerability
2023-10-25 21:02:49
Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers
2023-05-11 20:37:30
CVE-2023-37908
2023-10-25 18:17:28

CVSS3

9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

AI Score

6.2

Confidence

High

EPSS

0.001

Percentile

37.4%

JSON
Related for CVE-2023-32070
openvas1nvd1veracode1github1cvelist1prion1osv4