Lucene search

GitHub_MCVELIST:CVE-2023-26480

HistoryMar 02, 2023 - 5:09 p.m.

CVE-2023-26480 XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data

2023-03-0217:09:18

CWE-79

GitHub_M

www.cve.org

xwiki-platform

cross-site scripting

live data

html displayer

vulnerability

patch

version 12.10

version 14.9

version 14.4.7

version 13.10.10

wiki platform

CVSS3

8.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

36.8%

JSON

XWiki Platform is a generic wiki platform. Starting in version 12.10, a user without script rights can introduce a stored cross-site scripting by using the Live Data macro. This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. There are no known workarounds.

CNA Affected

[
  {
    "vendor": "xwiki",
    "product": "xwiki-platform",
    "versions": [
      {
        "version": ">= 12.10, < 13.10.10",
        "status": "affected"
      },
      {
        "version": ">= 14.0, < 14.4.7",
        "status": "affected"
      },
      {
        "version": ">= 14.5, < 14.9",
        "status": "affected"
      }
    ]
  }
]

References

github.com/xwiki/xwiki-platform/commit/23d5ea9b23e84b5f3d1f1b2d5673fe8c774d0d79

github.com/xwiki/xwiki-platform/commit/556e7823260b826f344c1a6e95d935774587e028

github.com/xwiki/xwiki-platform/security/advisories/GHSA-32fq-m2q5-h83g

jira.xwiki.org/browse/XWIKI-20143

CVSS3

8.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

AI Score

8.5

Confidence

High

EPSS

0.001

Percentile

36.8%

JSON

Related for CVELIST:CVE-2023-26480