Lucene search

[email protected]NVD:CVE-2023-35153

HistoryJun 23, 2023 - 6:15 p.m.

CVE-2023-35153

2023-06-2318:15:13

CWE-80

CWE-79

[email protected]

web.nvd.nist.gov

xwiki

platform

cross-site scripting

vulnerability

versions

patch

appwithinminutes

classeditsheet

workaround

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

26.9%

JSON

XWiki Platform is a generic wiki platform. Starting in version 5.4.4 and prior to versions 14.4.8, 14.10.4, and 15.0, a stored cross-site scripting vulnerability can be exploited by users with edit rights by adding a AppWithinMinutes.FormFieldCategoryClass class on a page and setting the payload on the page title. Then, any user visiting /xwiki/bin/view/AppWithinMinutes/ClassEditSheet executes the payload. The issue has been patched in XWiki 14.4.8, 14.10.4, and 15.0. As a workaround, update AppWithinMinutes.ClassEditSheet with a patch.

Affected configurations

Nvd

Node

xwikixwikiRange5.4.4–14.4.8

xwikixwikiRange14.10–14.10.4

xwikixwikiMatch15.0rc1

VendorProductVersionCPE
xwikixwiki*cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
xwikixwiki15.0cpe:2.3:a:xwiki:xwiki:15.0:rc1:*:*:*:*:*:*

Vendor	Product	Version	CPE
xwiki	xwiki	*	cpe:2.3:a:xwiki:xwiki::::::::
xwiki	xwiki	15.0	cpe:2.3:a:xwiki:xwiki:15.0:rc1::::::

References

github.com/xwiki/xwiki-platform/commit/1b87fec1e5b5ec00b7a8c3c3f94f6c5e22547392#diff-79e725ec7125cced7d302e1a1f955a76745af26ef28a148981b810e85335d302

github.com/xwiki/xwiki-platform/security/advisories/GHSA-4wc6-hqv9-qc97

jira.xwiki.org/browse/XWIKI-20365